Happy GDPR Day

On May 25, the European Union’s new data and privacy law takes effect. The EU’s General Data Protection Regulation (GDRP) changes the rules for companies that collect, store or process large amounts of information on residents of the EU, requiring more openness about what data the companies have and with whom they share it. The GDRP will have a large impact on US companies and establishes Europe as the global leader on data protection. Generally speaking, the law requires more openness about what data companies have and whom they share it with and gives E.U. ‘data subjects’ the rights over their data. [A ‘data subject,’ if you're scoring at home, is any person whose personal data is being collected, held or processed.] The GDRP clarifies individual rights to the personal data collected by companies around the world for targeted advertising and other purposes. Broadly, the new rules mean that:

• Companies will have to use plain language to explain how they collect and use data. Companies will keep on collecting and analyzing personal data from your phone, the apps you use, and the sites you visit. The big difference is that now the companies will have to justify why they are collecting and using that information. As a result, companies are flooding users—including users here in the U.S.—with notices that aim to better explain their practices and the privacy choices they offer.

• Companies are required to give E.U. users the ability to access and delete data and to object to how their data is being used. Firms have to clarify how long they retain data.

• Companies must disclose, within 72 hours, when they suffer data breaches. (By contrast, Yahoo did not reveal a breach that involved three billion users for over two years)

• GDRP violators face fines of up to 20 million euros ($24 million) or 4 percent of annual global revenue — whichever is greater.