General Data Protection Regulation (GDPR)
The GDPR is a set of data protection rules that applies to businesses based in the EU, as well as businesses around the world that provide services and process data from or about individuals in the EU. It requires that individuals must have control over their personal data and it specifies how such data may be collected, processed, and stored.
In summary, the GDPR requires:
- transparency about how data is processed
- an individual's access to, and information about, collected data
- the correction of stored data as requested
- the removal of data ("right to be forgotten")
- the restriction of data processing
- data portability.
And in protecting data, the GDPR requires that:
- personal data must only be collected when consent from the user has been obtained
- personal data must not be used for purposes inconsistent with the initial purpose of collection
- personal data must not be stored longer than required by the purpose of collection
- personal data must be kept confidential unless required by law.
See: European Commission's Data protection in the EU