What are the GDPR requirements?

Last April, the European Parliament adopted the General Data Protection Regulation (GDPR). It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. Companies that do business in EU countries or process the personal data of EU citizens must be in compliance by May 25, 2018. (For more detail on what the GDPR means to U.S. businesses, see "General Data Protection Regulation (GDPR) requirements, deadlines and facts.")

The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.

The GDPR contains 99 articles that define its requirements and rights granted to EU citizens, GDPR operations and structure, and penalties. The articles that will have the most significant impact on business are:

Article 5, processing and storing personal data: All personal data must be processed lawfully and transparently, and only for the purpose specified to the individual. That data may be stored "in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." All personal data must be processed securely to protect against unlawful access, loss or damage "using appropriate technical or organizational measures." Those measures are not defined, but presumably if the data is lost or stolen, a company could be considered not in compliance.  

[Related: –>U.S. companies spending millions to satisfy Europe’s GDPR]

Articles 6, 7 and 8, consent: All processing of personal data must be done lawfully, by which is meant that each individual must give consent to use their personal data. The data collected must also be necessary to complete a task or transaction initiated by the individual, with the exception of public authorities.

Article 15, right to access:  EU citizens have the right to know upon request what personal data a company is using and how it is being used.

Article 17, right to be forgotten and to data erasure: EU citizens can expect companies to stop processing and to delete their personal data upon request.

Article 20, right to data portability: EU citizens may transfer their personal data from company to company upon request.

Articles 25 and 32, data protection: Companies must be able to provide a "reasonable" level of data protection and privacy to EU citizens. It's not clear what the GDPR governing body will consider reasonable.

Articles 33 and 34, reporting data breaches: Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.

Article 35, impact assessments: Companies must conduct data protection impact assessments to identify risks to EU citizens. Those assessments also must describe how the company is addressing those risks.

[Related: –>Why you need a data protection officer]

Articles 37, 38 and 39, data protection officers: Some companies must appoint a data protection officer (DPO) to oversee data security strategy and GDPR compliance. Companies required to have a DPO process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. The International Association for Privacy Professionals (IAPP) estimates that 28,000 DPO roles will need to be filled.

Article 50, international companies: International companies that collect or process EU citizen data must comply with the GDPR.  

Article 83, penalties: Companies may be fined up to EUR20 million or 4 percent of global annual turnover, whichever is higher.