The General Data Protection Regulation (“GDPR”) takes effect on May 25, 2018. GDPR is an EU regulation addressing how companies collect and use personal information. Among other things, it requires that data breaches be reported to officials, and in some cases customers, within 72 hours of discovering the breach.
Other provisions of the GDPR require companies to obtain informed consent to use or store a person’s data. The law also sets forth how quickly data must be removed upon a person’s request based on the person’s “right to be forgotten.”
The GDPR applies to companies regardless of whether they have significant operations in EU countries. Failure to comply will subject a company to a fine of up to 4% of its global revenue or 20 million Euros, whichever is greater.