1. GDPR stands for the General Data Protection Regulation which will become law across the EU in May 2018
2. The new legislation will replace extremely outdated data protection regulation. The current legislation was last amended in 2003, before many of the most ubiquitous holders of personal data – Facebook, Instagram, Twitter – were even created.
3. All companies across the EU are subject to the rules. If you hold any consumer data that could identify a person, you must handle it carefully and legally.
4. This does not just include passwords, pin numbers or dates of birth – it includes location data, social security numbers, IP address, email addresses, as well as details on physical characteristics such as age, race, physical attributes, gender and many others.
5. Even if you are not responsible for a leak or unintended sharing with unauthorised parties of consumers personal data – for instance, if your companies database is hacked – you could still be legally liable for significant fines, even if a third party illegally exposes personal details of others.
6. The new laws will also codify how and when consumers can ask for their data to be transferred to a third party or destroyed.
7. Consent is a cornerstone for the new regulations and will require higher standards than the current 'tick-box' method for requesting access to share or store consumers data.
8. Crucially, consent must be capable of being withdrawn at any time by the individual with the same level of ease as how they gave their consent. No company has a right to an EU citizens personal data forever if they give permission on one occasion.
9. The new regulations will require quite a bit of work on the part of companies to adapt to, but are designed to make rules more straight-forward for businesses as well as protecting consumers – it is estimated that the new code could save EU more than €2bn collectively on an annual basis.
10. GDPR does not just level the playing field within the EU - companies outside of the EU are also subject to the regulation if they store any data relating to EU citizens.