The General Data Protection Regulation (GDPR) is a new set of standards that regulates consumer rights in regards to their data. The European Parliament adopted the GDPR in April 2016 to replace outdated data protection regulations from 1995. The GDPR's purpose is to protect the privacy and personal data of European citizens and transactions in the European Union (EU) member states. It also protects personal data from exportation outside of the EU.
The GDPR was put into place to protect consumers from their data becoming exposed due to data breaches. As a result, companies that collect data on European citizens must comply with GDPR. The same amount of security that is required for information like IP addresses and cookies is now needed for names, social security numbers and addresses.
One of the standards set by the GDPR states that a company must provide a "reasonable" level of personal data protection. While "reasonable" is not defined, companies must come up with their own interpretation of this standard. The non-specific definition also gives the GDPR more leeway in terms of providing fines for non-compliance and data breaches.
Companies that process or store any information about citizens of the EU citizens must be GDPR compliant. Compliance even applies to companies who do not have a specific business presence inside the EU. Most companies affected by GDPR compliance are in the technology industry.
Companies who meet with the following criteria must be GDPR compliant:
Companies that are not GDPR compliant can expect to receive a steep penalty of up to 4% of global turnover or €20 million, whichever is higher.