But GDPR is far more than just an inbox-clogger. The regulation, seven years in the making, finally comes into effect on 25 May, and is set to force sweeping changes in everything from technology to advertising, and medicine to banking.
What is GDPR?
The law is a replacement for the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU. GDPR will significantly strengthen a number of rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real teeth, with the maximum fine now reaching the higher of €20m (£17.5m) or 4 percent of the company’s global turnover.
GDPR affects every company, but the hardest hit will be those that hold and process large amounts of consumer data: technology firms, marketers, and the data brokers who connect them.
Even complying with the basic requirements for data access and deletion presents a large burden for some companies, which may not previously have had tools for collating all the data they hold on an individual.
Timely, incisive articles delivered directly to your inbox.