Everything you need to know about a new EU data law that could shake up big US tech

Key Points
  • The General Data Protection Regulation came into force on Friday.
  • It will affect companies located in and outside the European Union.
  • The key principle of GDPR is giving consumers control of their data.
  • Companies face fines of up to 4 percent of total global turnover if they breach the rules.
GDPR: Why everyone is freaking out over four letters
GDPR: Why everyone is freaking out over four letters

You may have heard of the General Data Protection Regulation. It may sound boring, but it's really important and CNBC has a guide to help you understand it.

It's a piece of European Union legislation that could have a far-reaching impact on some of the world's biggest technology companies, including Facebook and Google.

So here's your guide to the GDPR.

What is GDPR?

GDPR is a piece of legislation that was approved in April 2016. European authorities have given companies two years to comply and it came into force Friday.

It replaces a previous law called the Data Protection Directive and is aimed at harmonizing rules across the 28-nation EU bloc.

The aim is to give consumers control of their personal data collected by companies. Not only will it affect organizations located within the EU, but it will also apply to companies outside of the region if they offer goods or services to, or monitor the behavior of, people in the bloc.

This is why GDPR could have a far-reaching impact.

EU's GDPR introduction on May 25 is just the start of the process: Citi
EU's GDPR introduction on May 25 is just the start of the process: Citi

What are the key policies?

A major focus of GDPR is on conditions of consent that have been strengthened. So companies will not be able to use vague or confusing statements to get you to agree to give them data. Firms won't be able to bundle consent for different things together either.

"If you have a page of different consent, and saying by clicking here you consent to lots of things, that will be wrong. You need to be able to apply that consent individually," Harry Small, a partner at law firm Baker & McKenzie, told CNBC by phone.

Consent must also be easy to withdraw.

For children under 16, a person holding "parental responsibility" must opt in to data collection on their behalf.

Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The processor of the data will need to notify customers "without undue delay" after learning of the breach, according to an EU document.

When it comes to user data, consumers will have more control. You will be able to access the personal data being stored by companies and find out where and for what purpose it is being used. You will also have the right to be forgotten. This means you can ask whoever is controlling your data to erase it and potentially stop third parties processing it. Another provision allows people to take their data and transfer it to a different service provider.

Many 'regular' companies are unprepared for the new GDPR rules: CEO
Many 'regular' companies are unprepared for the new GDPR rules: CEO

Are there punishments for breaking the rules?

Yes, and potentially big ones. An organization in breach of GDPR laws will be fined up to 4 percent of annual global turnover or 20 million euros ($24.6 million), whichever is bigger.

Some of the biggest technology companies are making billions in turnover every year so this could be a big hit if they were to breach any rules.

What will the impact be on firms?

Big organizations have had two years to get ready for GDPR.

The big technology firms that have huge user bases and handle massive amounts of data have spoken about what they are doing. Facebook recently released some new privacy tools that will help it comply with GDPR. Other big technology companies have also released their plans.

European companies gear up for new data privacy rules
European companies gear up for new data privacy rules

In a recent note, Barclays said that GDPR is likely going to impact social networks.

"We think there is a risk that reported MAUs (monthly average users) could drop off for Facebook and Twitter starting in late 2Q. DAUs (daily average users) are far more important and less of a GDPR concern for the social networks, but may also drop off a bit," Barclays analysts said.

"In terms of ad revenue, we see less of an impact, but have heard additional concern around products like custom audiences which all platforms are using. Our checks suggest that most companies using cookies and tags for digital marketing should be relatively unchanged as most
publishers have been using GDPR compliant notifications for months ahead of the May mandate."