When asked to name the things they own, most people would list physical objects like cars, houses, furniture, clothing, jewelry, electronics, computers, tablets and smartphones. If asked about digital objects (i.e., data) that they own, some might list the digital copies of music, television shows and movies they purchased from Amazon or iTunes – and maybe the photos and videos they created with their smartphones, or uploaded to Instagram or Google.

Few people would innately list personally identifiable information among their digital assets. Medical history and financial records are the most obvious examples of this type of data – but many people fail to consider all the personal data that's included in commercial transactions that lead to obtaining those physical assets listed earlier. All of that data exists within countless databases and has often been shared with third parties, without your consent or  knowledge.

Here in the United States, recent revelations about companies like Palantir, Cambridge Analytica and Facebook have exposed the dangers of disregarding personal data protection. In these cases, emails, text messages, browser histories, smartphone GPS location histories, and massive amounts of social media data were discovered to have been used in very disturbing ways.

On May 25, the EU General Data Protection Regulation (GDPR) went into full effect. This landmark regulation makes personal data protection a legal compliance and strategic priority for organizations processing the personal data of EU residents. GDPR doesn’t apply only to companies based in the EU – it applies globally for any enterprise processing the personal data of individuals who live there. A central concept of GDPR is its definition of personal data as any data that identifies an individual, directly or indirectly. For example, GDPR considers an IP address or GPS location to be personal data. Its broad definition of personal data is expected to expand more over time. GDPR puts the individual at the center of data protection by giving every EU resident the right to know and decide how their personal data is being stored, protected, and used. It also establishes the individual’s right to restrict further processing of their personal data and to request that it be deleted, which is known as “the right to be forgotten” – my favorite aspect of the GDPR.

Because it hasn't been long since it went into full effect, it will take a while for organizations to understand the broad reach and implications of GDPR compliance. I recently received email notifications from my search engine, social media websites, hosting company, blogging platform vendor and other service providers regarding policy changes they were implementing due to GDPR. These include transparency about what data is collected, restrictions on how that data can be used, and user-customizable time limits for how long data can be retained (after which it’s automatically deleted).

With all this in mind, I am cautiously optimistic that GDPR heralds a seismic shift in personal perspectives on data and data privacy.