The General Data Protection Regulation (GDPR) is a new set of laws that govern how private organizations protect the personal data of EU citizens. After four years of drafting and debating the particulars, the EU Parliament approved the new regulations in April 2016, which became effective on May 25, 2018.

The GDPR is designed to establish uniform data security regulations for all member states of the EU so that individual member states don’t need to create their own data security laws. The GDPR builds upon regulations outlined in previous EU privacy protection regulations, such as the Privacy Shield and Data Protection Directive, but expands on those earlier measures in a few significant ways:

• Collecting Personal Data: The GDPR lays out more stringent rules for how organizations gather a citizen’s data, requiring, by default, all companies to obtain explicit and informed consent from the individual consumer.
• Data Portability: People must also have a way to cancel said consent, and be able to request all the data an organization has about them. This allows users to easily check what information companies have collected on them and also enables consumers to transfer their data between networks, resulting in less platform dominance from individual companies.
• Penalties: Fines for violating the GDPR are much more severe than previous regulatory frameworks, with maximum fines fixed at 4% of an organization’s worldwide turnover or $20 million, whichever is greater.

Note: In some cases, the GDPR allows individual member states to make their own laws to fit local needs and laws. For example, the regulation allows compromises in the case of lawfulness of processing, definition of sensitive personal data, human resources, and parental consent, among others.