The key points of the GDPR are:
- User rights: Users have the right to request to access, correct, or delete the personal information that organizations collect about them. Users can also object to the processing of their data in certain circumstances.
- Privacy by Design (PbD): Organizations must proactively incorporate data protection measures in the design and operations of new systems and products.
- Consent: Organizations must get explicit consent from users’ to process their data beyond necessary purposes.
- Data breach notifications: If an organization suffers a data breach, they have 72 hours to notify their supervising authorities of the breach, and need to inform users as soon as possible.
- Data Protection Officer (DPO): Organizations that process a significant amount of personal information need to appoint a DPO, who is responsible for ensuring GDPR compliance.
- Transparency: Organizations are required to have a privacy policy that transparently explains how they collect and use users’ personal information.
- Data Protection Impact Assessment (DPIA): DPIAs are required if an organization’s data processing activities could risk the rights and freedoms of individuals.