The General Data Protection Regulation (GDPR) goes into in effect in the European Union on Friday, installing a new set of laws designed to protect individuals’ online data and privacy.
The law will affect all of the EU’s 28 member states and a host of major companies that collect and store data on the citizens of those countries.
The GDPR was approved in 2016, but companies were given a two-year grace period before implementation. That grace period ends Friday.
Here’s what you need to know about the new law:
What is it?
The GDPR is an effort to transfer more control over personal data, like addresses and phone numbers, from large companies back to individuals, affecting how companies obtain, use, store and secure data.
The law widens the definition of what will be considered personal data. It gives residents the freedom to request that a company delete their data, give them a copy of the data the company has stored online or correct a mistake in the data, all of which are demands companies must comply with.
Beyond that, upon reviewing their information, individuals can request that it is not used for certain purposes.
In addition to attempting to reduce the amount of information collected, GDPR will also govern how companies share that data with third parties.
Under the new law, the EU will require companies to notify individuals within 72 hours of a data breach, after companies like Equifax came under scrutiny in the U.S. for waiting months before notifying the public of devastating cyberattacks on their personally identifiable information.
Each of the 28 countries will be expected to enforce the GDPR on their own accord and are subject to fines for failing to do so.
How will companies be affected?
GDPR does not just affect EU companies, it affects any company that stores and uses data from those 28 member countries’ citizens, even if the business has no physical footprint in the country.
Because citizens have the right to know about, and request copies of, the data companies are collecting and storing, businesses have had to update and centralize this information – which is sometimes stored across multiple servers – in addition to updating general practices and procedures. Compliance costs, in some cases, have therefore been significant.
A study released in April by the Ponemon Institute– conducted among 1,000 affected companies– found that nearly half would not be, or were unsure whether they would be, ready to comply by Friday’s deadline.
How have companies responded?
Many companies, like Twitter, have recently updated their privacy policies in anticipation of the new law.
It has been widely known that tech companies, like Facebook and Google, will be impacted by the law, but the law’s reach extends far beyond the tech sector. Entities from credit card and health care companies to airlines, restaurants and even small businesses will be forced to change their practices to comply with the complexities of the GDPR.
In response to the changing laws in the EU, many companies, like Facebook and Twitter, will extend these enhanced user protection policies to all users.
Some websites like Instapaper – a news site owned by Pinterest – have temporarily blocked EU users in order to ensure compliance.
Failure to comply will result in a fine of up to 4% of the company’s global revenue, or $23.4 million, whichever is larger.