The General Data Protection Regulation (GDPR), which will offer people within the European Union (EU) more protection on the use of their personal data, has come into effect.
The regulation replaces the 1995 Data Protection Directive, offering EU consumers the right to gain access to the data collected on them, and the intended use of the data.
Companies are required to secure explicit consent from users regarding the usage of their data, and seek additional permission if the use of the data changes. The new rule also offers consumers the right to have their data deleted if needed.
At the same time, the rule mandates companies to report data breaches to authorities within 72 hours and to affected users.
European Commission vice-president for the digital single market Andrus Ansip said: “Our new data protection rules were agreed for a reason: Two thirds of Europeans are concerned about the way their data was being handled, feeling they have no control over information they give online.
“Companies need clarity to be able to safely extend operations across the EU. Recent data scandals confirmed that with stricter and clearer data protection rules we are doing the right thing in Europe.”
Entities failing to comply by the rule can be fined up to €20m or 4% of the company’s global turnover.
Companies directly involved with the processing of data, or having a headcount of over 250 are required to appoint a data protection officer to ensure compliance with the rule.
Commissioner for justice, consumers and gender equality Vera Jourova said: “The new rules will put the Europeans back in control of their data. Now we have a choice and can decide what happens and who has what sort of data. You can ask and companies have to tell you. You can also recover your data if you leave or change service. Companies will also benefit from the new rules, because they will be the same everywhere and the companies will only have one authority to deal with. This makes it easier to expand a business activity to another Member State.”