Here’s how the General Data Protection Regulation (GDPR) will change how companies process, store and secure EU customer data. Credit: Thinkstock Last April, the European Parliament adopted the General Data Protection Regulation (GDPR). It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. Companies that do business in EU countries or process the personal data of EU citizens must be in compliance by May 25, 2018. (For more detail on what the GDPR means to U.S. businesses, see "General Data Protection Regulation (GDPR) requirements, deadlines and facts.") The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer. The GDPR contains 99 articles that define its requirements and rights granted to EU citizens, GDPR operations and structure, and penalties. The articles that will have the most significant impact on business are: Article 5, processing and storing personal data: All personal data must be processed lawfully and transparently, and only for the purpose specified to the individual. That data may be stored "in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." All personal data must be processed securely to protect against unlawful access, loss or damage "using appropriate technical or organizational measures." Those measures are not defined, but presumably if the data is lost or stolen, a company could be considered not in compliance. [Related: –>U.S. companies spending millions to satisfy Europe’s GDPR] Articles 6, 7 and 8, consent: All processing of personal data must be done lawfully, by which is meant that each individual must give consent to use their personal data. The data collected must also be necessary to complete a task or transaction initiated by the individual, with the exception of public authorities. Article 15, right to access: EU citizens have the right to know upon request what personal data a company is using and how it is being used. Article 17, right to be forgotten and to data erasure: EU citizens can expect companies to stop processing and to delete their personal data upon request. Article 20, right to data portability: EU citizens may transfer their personal data from company to company upon request. Articles 25 and 32, data protection: Companies must be able to provide a "reasonable" level of data protection and privacy to EU citizens. It's not clear what the GDPR governing body will consider reasonable. Articles 33 and 34, reporting data breaches: Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Article 35, impact assessments: Companies must conduct data protection impact assessments to identify risks to EU citizens. Those assessments also must describe how the company is addressing those risks. [Related: –>Why you need a data protection officer] Articles 37, 38 and 39, data protection officers: Some companies must appoint a data protection officer (DPO) to oversee data security strategy and GDPR compliance. Companies required to have a DPO process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. The International Association for Privacy Professionals (IAPP) estimates that 28,000 DPO roles will need to be filled. Article 50, international companies: International companies that collect or process EU citizen data must comply with the GDPR. Article 83, penalties: Companies may be fined up to EUR20 million or 4 percent of global annual turnover, whichever is higher. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe