Whether you love it or hate it, there’s a new EU regulation coming up. If you live in an EU country, you know all about the sometimes outright comically sounding EU regulations, like this one, regarding the shape of bananas.

But fruits aside, the European Union is working on replacing an old data protection regulation with a new one, titled the “General Data Protection Regulation”. This directive, applying to member states in 2018, focuses on regulating how personal data is processed and stored and it will be part of set of EU’s privacy and human rights laws.

New reform of the previous regulations were proposed in 2012 and was entered into force last May. The regulation has a two year grace period allowing countries and companies to prepare for the change.

The new era of digital privacy

Here are just some of the new rules and regulations set:

Individual control of personal data

According to the new standards, individuals should be able to control and view their data and should be informed when their data is being collected. Interestingly the reform requires opt-in model for data collection except in certain circumstances. And you still have to be notified, even when you can’t opt-out, such as in cases where gathering data is legally required. The legislation also includes a clause, which states that users affected by mishandled data are entitled to compensation as well.

The regulation also states that users must easily be able to move their data from one company to the other. This also includes the ability to permanently delete your data. This is something that brings assurance, that your data is actually removed and not simply unlinked.

Transparency requirements for companies data protection policies

What this means is that companies are required to publish information on how exactly they are protecting the user’s data. The regulations actually suggest using simple icons to indicate where and by whom the personal data is processed and stored (perhaps something like this?).

Data protection

The reform introduces new obligations for companies regarding protection of data. The obligations include for example requiring a specific data protection officer in companies who is in charge of the data processed and reporting to a supervisory agency (this officer, although is not required in smaller companies).

The regulation also requires companies to invest in designing data protection policies as a part of their business plan. Data protection techniques suggested include anonymization and encryption of personal data.

Breach notifications

Companies are required to notify of security breaches that have caused or might have caused loss of personal data. The notification must be made as soon as possible (though, within 72 hours) to both authorities and people affected by the breach.

Of course, all this wouldn’t be much without the best incentive for companies, money. The regulations set sanctions that can be imposed to companies failing to comply with the regulations, that can be as much as 20 million euros or alternatively, 4 % of the company’s annual turnover.