Unlike EU directives, which require further action on behalf of member nations’ governments to enact, the GDPR is (as its name states) a regulation: The rules will immediately become legally binding on May 25, 2018, with no further action or measures required from EU member states. The regulation is based on the foundational idea that every citizen of the EU has the following rights:
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure
- Right to restrict data processing
- Right to data portability
- Right to object
- Rights of automated decision-making and profiling
Why is the GDPR necessary?
Many European countries already have their own robust data collection and storage laws, but the GDPR’s purpose is to make safeguarding users’ data stronger, easier, and more uniform across the European Union, unifying existing data protection regulations across its 28 member states.
This makes it easier for European consumers to take a more proactive role in how data about themselves is shared and retained by private enterprises. It also offers businesses overseas a single regulatory framework to which they must adhere,
rather than the patchwork of various laws and protections currently in law across the EU.
This could be a considerable benefit to companies that market to several EU member states, as the GDPR will supersede all existing data privacy and protection laws currently upheld by the EU’s member states.
Data covered by the GDPR
Virtually all data pertaining to individuals residing in the European Union will be protected by the GDPR.
This includes uniquely identifying information—official documents like Social Security numbers in the U.S. and Social Insurance Numbers in Canada—and information routinely requested by websites, including:
- IP and email addresses
- Physical device information such as a computer’s MAC address
- Individuals’ home addresses
- Dates of birth
- Online financial information
- Online transaction histories
- Medical records
However, that’s not all the GDPR is intended to safeguard.
The legislation also protects user-generated data such as social media posts (including individual tweets and Facebook updates), as well as personal images uploaded to any website, including those that do not feature the likeness of the person who uploaded the image. It also covers any other uniquely personal information commonly transmitted online. Essentially, the GDPR protects all personal user data across every conceivable online platform.