“The EU General Data Protection Regulation (GDPR)… was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” [Source]
This regulation was approved two years ago and goes into effect on May 25, 2018. That’s a little over 81 days from today, as a clock on the GDPR website points out.
Even if your organization is based outside of the EU, it still could be subject to compliance with GDPR, which
“applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” [Source]
By “personal data,” the regulation means
“anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address”
– that is, any detail “that can be used to directly or indirectly identify [a] person.” [Source]
Organizations that are not in compliance with the GDPR by this date will face significant fines – as in, “up to 4% of annual global turnover” or €20 million (US$24.6 million).
If you work for an institution or company that has not started looking at GDPR compliance issues, here are some resources to help you get started:
The EU GDPR website
EU Data Protection Law Looms | Inside Higher Ed
What is personally identifiable information (PII)? How to protect it under GDPR | CSO
The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data | Program on Corporate Compliance and Enforcement at New York University School of Law