The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, and it represents a significant new legal regime for protecting personal data that will impact organizations worldwide.
GDPR establishes standards governing the collection, use, storage and destruction of personal data of EU residents. It replaces the 1995 European Data Privacy Directive, which required EU Member states to adopt data protections in domestic laws, with a uniform, continent-wide standard. Notably, GDPR declares personal data protection to be a fundamental right for EU citizens — in marked contrast to treatment of personal data under U.S. law — and obliges regulated entities to implement principles of data protection by design, that is, to incorporate data protection principles in information systems and processes from inception.