What you need to know about GDPR, the new EU privacy rules that have Silicon Valley scrambling to keep up

The EU is implementing major new data privacy regulation next month.
It affects any company that processes EU citizens’ data, regardless of whether or not the company is based in the EU.
The GDPR has sent Silicon Valley scrambling to keep up — here’s what you need to know.

New regulations in the European Union are making a major headache for Silicon Valley.

Tech companies are currently scrambling to get ready before May 25th, the date that will see the implementation of a major new piece of European data privacy legislation: GDPR.

Here's the quick-and-dirty version of what you need to know.

GDPR?

It stands for General Data Protection Regulation.

So what actually is it?

It's a major new piece of European regulation that addresses how EU citizens' data can be used by corporations, introducing strict new rules around gaining people's consent to process their data. It was approved by the European Parliament in April 2016, and it's finally coming into effect in May 2018.

So what does it mean in practice?

GDPR furnishes Europeans with a number of additional rights when it comes to their data.

Companies need to ask customers for their data in a clear and accessible way. Those customers will have the right to demand organisations delete their data when asked. They will be able to ask for information on how and why their data is being processed. They will also be able to request copies of their data in a machine-readable format so they can take it elsewhere.

And if a company that holds their data realizes it has been breached, it must, in some circumstances, inform people within 72 hours.

Who does it affect?

Any organisation that is handling Europeans' data is affected, regardless of where it is in the world. Even if a company has no offices in Europe, and its employees have never set foot on the continent — if they've got EU data, they've got to play by EU rules now.

When exactly it it happening?

GDPR will come into effect on May 25 — actor Cillian Murphy's 42nd birthday, and the seventh anniversary of the last ever episode of "The Oprah Winfrey Show."

And what happens if companies dont comply?

Organisations in violation of the GDPR won't just get a slap on the wrist — there are some serious potential penalties. A company in breach of GDPR can be fined up to 4% of their annual global turnover (i.e. not just revenues generated in Europe) or €20 million, whichever is higher.

Are people ready?

A lot of them aren't.

Many US companies haven't realised that GDPR applies to them even though they don't have a physical EU presence, Kris Lahiri, chief security officer of enterprise file storage company Egnyte, wrote in an email to Business Insider — and even some of those that were aware of the issue didn't necessarily