The European Union passed the General Data Protection Regulation (GDPR) on April 27, 2016. The new data privacy law replaces a directive from the 1990s and goes into effect on May 25, 2018, encompassing the 28 EU countries, including the United Kingdom. It applies to EU-based organizations as well as any businesses not located in the EU but that offer goods or services within the EU or monitor the behavior of data subjects in the EU. For example, a U.S.-based company doing business indirectly in the EU through distribution, but collects relevant personal data of channel partners and end users would be subject to the regulation.
Under the GDPR, data protection is by design and default, meaning that:
- Each new service or business process that makes use of personal data must take protection of that data into consideration
- The strictest privacy settings automatically apply once a customer acquires a new product or service