GDPR is a European privacy law enacted on May 25th, 2018. It has four basic requirements
Whenever you ask for someone’s personal information, you must disclose how the information will be used.
Legitimate reason for using personal information
The best reason for using someone’s personal data is with their consent. Without their consent, you may still have a legitimate reason (such as a legitimate interest), but it may be harder to prove as legitimate.
New rights afforded to data subjects
People have the right to know what data you store about them, to obtain a copy of it from you, to withdraw consent to your use of their data, or to have it deleted.
Protection of personal data
You should protect personal data at all times. It is recommended that you encrypt sensitive data about a person whenever possible. Sharing it with third parties is prohibited without consent.
Failing to abide by GDPR can result in fines of up to $20MM or 4% of annual revenue.