- A data breach must be disclosed no later than 72 hours after it was first discovered.
- Users have the right to request a copy of data related to themselves and to request websites to remove their data (the right to be forgotten).
- User data should not be kept longer than what is reasonably necessary.
I have a Website outside of the EU, do I still need to comply?
If your website specifically targets consumers in the EU or you have a physical presence in a member state, than yes you must comply. However, the GPDR does contain exceptions for websites which do not specifically target EU consumers. For further clarification and guidance, we recommend consulting your legal counsel.