On may 25, 2018, the General Data Protection Regulation came into force, Regulation 2016/679 of the European Parliament and the Council of 27/4/2016.
It applies to all natural and legal persons who process personal data to resident citizens of the European Union. In order to comply with the Regulation, companies should adopt a series of polices and procedures in particular creating a data recording system, creating/revising and advertise the private policy and taking into account the new rights of data holders.
The Regulation forces, in particular, to: i) guarantee the exercise of data subjects rights; (ii) to control the circumstances in which consent of the right holders has been obtained when required; (iii) to hold a documented record of all personal data processing activities; iv) to establish, in certain cases, a Data Protection Officer; (v) to review data security and processing procedures in order to increase control of the risks associated to the use of information; and (vi) all security breaches that results in a risk to the rights of data subjects must be communicated to the supervisory authority as well as to the data subjects.
The Regulation establishes fines that can go up to twenty million euros.