The General Data Protection Regulation (GDPR) is a regulation that sets rules related to the protection of personal data, with regard to the processing of personal data and the free movement of personal data by automated means.
The GDPR is expected to replace the existing Data Protection Directive on May 25, 2018. It is enforceable, binding and applicable if the data controller, the processor or the subject (person) is based in the European Union (EU). The regulation is also applicable if an organization based outside the EU if personal data of EU residents is collected.
Under the regulations, new criminal offenses have been created around the acts of re-identification of de-identified personal data and altering (or destroying) personal data to prevent individuals from accessing it.
While many applaud the movement to overhaul personal data protection laws, there is some concern about the lack of rules pertaining to cross-border data transfers and a lack of standards for data breach reporting.