The General Data Protection Regulation is a law coming into effect on May 25th, 2018.
It deals with data protection and specifically the protection of data belonging to EU citizens. It will update the current law and tighten up how the personal data of EU citizens can be handled, giving data owners more control over what can and can’t be done with it.
The GDPR will affect all businesses who process EU personal data even if they have no physical presence in the EU.
Under the Regulation, the standard for keeping data secure is clearly defined. Technical measures need to be in place so that data is protected by design and by default.
The new law will empower EU data owners. Clear consent will be needed before processing can begin and requests made by data owners in relation to their data will need to be actioned.
Requests can include asking a business what data it holds and asking to receive a copy of it (also in a machine readable, portable form), asking to have inaccurate data updated, asking for processing to stop or to be completely erased from the system.
It will be necessary not only to comply with the law but also to demonstrate compliance. Documenting what you’re doing and why you’re doing it in relation to the personal data you are collecting and processing will be essential.
The ICO website is a useful GDPR resource - Guide to GDPR
Wired has a more digestible article here