It's not like privacy of our users did not matter before. Of course it did. But GDPR introduced concepts to talk around this in more detail.
It assigned a monetary value of not caring that should scare all of us. An organization could be penalized with a fine of 4% of the companies global annual turnover or 20 million euros, which ever is greater.
It introduced six requirements:
- Breach Notification - if sensitive data gets leaked, companies can't keep this a secret. And to know that there was a breach, you need to know who has been accessing the personal data.
- Access to Your Data - if anyone has data of you, asking should give it to you, without a cost.
- Getting Forgotten - if the original purpose you consented changes or you withdraw your consent, your data needs to be removed.
- Moving Your Data - if you want to give your data elsewhere, they should provide it in a machine readable format.
- Privacy by Design - if there's personal data involved, it needs to be carefully considered and collecting private data in case isn't a thing you can do.
- Name Someone Responsible - and make sure they know what they're doing.