Overview
- Implementation is staggered: the Data Protection Board is activated now, consent managers have 12 months to register, and core compliance for data fiduciaries kicks in after 18 months.
- A four-member Data Protection Board will oversee enforcement, conduct digital proceedings and issue orders under the law.
- Data fiduciaries must notify the Board within 72 hours of any personal data breach and inform affected users without undue delay, with limited government discretion to defer user disclosure in sensitive cases.
- Companies must erase personal data after three years of user inactivity and maintain processing and consent logs for at least one year, subject to legal retention requirements.
- Cross-border transfers are permitted by default but may be restricted or localised for specified data categories, and Significant Data Fiduciaries face annual audits, DPIAs and algorithmic risk checks.