The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.

This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.

The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.

Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

The GDPR requires all organizations collecting personal data to be able to prove clear and affirmative consent to process that data.

Once GDPR is in effect, it will be more important than ever for organizations to explain exactly what personal data they are collecting and how it will be processed and used. Without valid consent, any personal data processing activities will be shut down by the authorities

Any business that depends on processing personal information will have to appoint a DPO, who will be an extension of the data protection authority to ensure personal data processes, activities and systems conform to the law by design. A third-party DPO, such as MDS, is permitted.

The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimise risks to data subjects.

Before organisations can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO to ensure they are in compliance as projects progress.

The regulation requires organizations to notify the local data protection authority of a data breach within 72 hours of discovering it.

Organisations need to therefore ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach.

One of the new data handling principles being introduced is the “data minimization principle”, that requires organizations not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject (aka: the employee).

In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organizations that touch personal data.

Even organizations that are purely service providers that work with personal data will need to comply with rules such as data minimization

The GDPR requires that privacy is included in systems and processes by design. This means that software, systems and processes must consider compliance with the principles of data protection.

Moving forward, all software will be required to be capable of completely erasing data, which will be a challenge for a lot of software engineers

With GDPR, any European data protection authority is allowed to take action against organization, regardlress of where in the world the company is based.

The benefit for business is that they will have to deal with only one supervisory authority rather than a different one for each EU state.