This is the EU’s attempt to harmonise personal data protection laws across Europe. It sets down rules for how organisations should collect and process personal information, and is primarily designed to give more control to citizens over their personal data and how it is used.
Basically, organisations need to keep records of all personal data and show where it’s going, what it’s being used for, and how it’s being protected.
So what are main changes?
The definition of personal data has been extended to include extra categories such as your computer's IP address or your genetic or biometric signature - anything that could be used to identify you. It’s no longer just names, addresses, contact details and so on.
Another main change is a new principle of accountability - you must be able to demonstrate how you are complying with the new rules.
And there are new definitions for the lawful bases under which you can process personal data. The lawful basis you choose affects the rights of the individuals. For example, if you seek consent to process someone’s data – and this isn’t always a requirement - it must be explicit. No more default opt-in tick boxes.