The European Parliament approved the General Data Protection Regulation (GDPR), which entered into force in May 2016 and its compliance will become mandatory as of May 25, 2018.

The purpose of the GDPR is to provide a set of standardised data protection laws across all the member countries. 

The GDPR regulates the data subject’s rights, such as rights of rectification and erasure. Companies must take into account the introduction of new rights, such as the right to be forgotten and the right to data portability from one service provider to another.

In addition, it details the general obligations of the controllers and of those processing the personal data. These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform (risk-based approach). Controllers are also required in certain cases to provide notification of personal data breaches.

In addition, companies should pay particular attention to consent for processing. It provides for very severe sanctions against controllers or processors who violate data protection rules.

In conclusion, the new regulation will change the way companies regulate data protection. Companies must respect the principles and rights of the data subjects as stipulated in the new laws, as well as take into account the general obligations of data controllers and processors, based on “Accountability”. They must address the specific requirements for consent.