None of this is considered legal advice. I strongly advise you speak to your legal representation to understand how this affects you.
In 2016, the EU passed legislation that protects all citizens of the European Union, starting May 25, 2018. What does this mean?
The law takes protections from the previous Data Protection Directive and extends it to provide a directive to how data can be handled and stored through data Processors and Controllers.
The key to the nature of the GDPR is the right for a citizen to become forgotten on the internet. It can be easy enough to comply if a person uses proper user experience practices.
Example – Use affirmative opt-in for email list signup.
The above means that a person needs to explicitly request placement on specific email newsletters, including 3rd party offerings. Your wording needs to be clear and distinct.
Some key points to the GDPR include:
Within 72 hours of learning of a security breach, users must be given notice so they can take proactive care of their personal information.
Data subjects can request the data controller confirmation as to whether or not personal data concerning them is processed, where and for what purpose. The information processed must be made available via electronic format for free from the data controller.
Known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her data.
Introduction of Data Portability means the data subject can request a machine-readable format of their data so is transferred another data controller.
Privacy by design calls for the inclusion of data protection from the beginning of the designing of systems, and not later as an afterthought.
Internal record keeping requirements as further explained below, and Data Protection Officers (DPO) appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require monitoring of data subjects.
I have found two resources if have found helpful that make it easier to learn if you are compliant and what that means.
This site provides an overview of the GDPR legislation.
This site provides a checklist that might help you learn about your compliance.
I cannot stress enough using legal counsel to ensure your protection. The fines can be quite steep and particularly significant if you are dealing with user information in any manner with a citizen of the European Union.
I am not providing legal advice in any matter – only bringing awareness of the GDPR.