-
The General Data Protection Regulation (GDPR) will come into force on May 25.
-
It will affect companies located in the European Union but also those that have operations and customers there too.
-
The key principle of GDPR is giving consumers control of their data.
-
There are fines of up to 4 percent of total global turnover if rules in the GDPR are breached.
You may have heard of the General Data Protection Regulation (GDPR). But most likely you haven't because it sounds boring, but it's really important and CNBC has a guide to help you understand it.
It's a piece of European Union (EU) legislation that could have a far-reaching impact on some of the biggest technology firms in the world including Facebook and Google.
So here's your guide to the GDPR.
What is GDPR?
GDPR is a piece of legislation that was approved in April 2016. European authorities have given companies two years to comply and it will come into force on May 25, 2018.
It replaces a previous law called the Data Protection Directive and is aimed at harmonizing rules across the 28-nation EU bloc.
The aim is to give consumers control of their personal data as it is collected by companies. Not only will it affect organizations located within the EU, but it will also apply to companies outside of the region if they offer goods or services to, or monitor the behavior of, people in the bloc.
This is why GDPR could have a far-reaching impact.
What are the key policies?
A major focus of GDPR is on conditions of consent which have been strengthened. So companies will not be able to use vague or confusing statements to get you to agree to give them data. Firms won't be able to bundle consent for different things together either.
"If you have a page of different consent, and saying by clicking here you consent to lots of things, that will be wrong, you need to be able to apply that consent individually," Harry Small, a partner at law firm Baker & McKenzie, told CNBC by phone.
Consent must also be easy to withdraw.
For children under 16, a person holding "parental responsibility" must opt-in to data collection on their behalf.
Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The processor of the data will need to notify customers "without undue delay" after learning of the breach, according to an EU document.
When it comes to user data, consumers will have more control. You will be able to access the personal data being stored by companies and find out where and for what purpose it is being used. You will also have the right to be forgotten. This means you can ask whoever is controlling your data to erase it and potentially stop third parties processing it too. Another provision of GDPR allows people to take their data and transfer it to a different service provider.