Data Privacy by Location
Navigating Global Regulations
The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. It protects the privacy rights
of data subjects in the European Union. It ensures transparency in communication and accessible modalities for
data subjects to exercise their rights, which include: information about and access to personal data; rectification
and erasure, including restrictions on select processes; and opting out of automated decision-making. Data processors
and controllers must ensure privacy by design and default, and they may need to appoint a Data Protection Officer (DPO)
or implement risk assessments and other measures, per the discretion of the EU Member State or other entity designated
as their supervisory authority.
The GDPR applies to organizations based in the EU that process personal data, along with organizations outside of the EU that process the personal data of EU residents, offer goods or services to them, or monitor the behavior of EU residents. If a data breach occurs, the data controller is responsible for providing notification to their supervisory authority no more than 72 hours after becoming aware of the incident. The notice must include the nature of the breach, its likely consequences, and what measures are being taken to mitigate them, among other details.