The General Data Protection Regulation (GDPR) is a European Union (EU) regulation which came into effect in 2018. The GDPR gives individuals greater rights over their personal data and imposes additional restrictions on the organizations that have access to it. The GDPR tells organizations how they are allowed to collect and use personal data, and how they must protect it.
A short guide to the GDPR
GDPR timeline: The GDPR was released in May 2016 and the deadline for organizations to comply was May 25, 2018.
GDPR scope: The GDPR covers personal data, which is any information ‘concerning an identified or identifiable natural person’. This extends to a very wide range of information, including transactional documents; online identifiers such as IP addresses; and manual filing systems as well as databases. The regulation does not apply to data processing activities for law enforcement, national security purposes or purely for personal or household use.
What it replaced: The GDPR replaced the 1995 European Data Protection Directive (95/46/EC).
Purpose: The GDPR aims to provide a strong framework to protect personal data as a fundamental human right while enabling the free flow of data both within the EU and internationally in order to foster economic growth.
Who it affects: The GDPR applies to any organization processing the personal data of EU residents, regardless of whether the organization is located within the EU or outside.
Key features of the GDPR
Organizations must adopt measures to demonstrate compliance with GDPR principles, such as documenting data processing activities and restricting the amount of personal data they collect to the absolute minimum required (‘data minimization’).
Non-compliance with the GDPR can lead to fines of up to €20M or four per cent of an organization’s worldwide annual turnover for the previous financial year, whichever is greater.
You may only process personal data if you have a valid lawful basis for doing so, such as informed consent (not pre-ticked boxes), or a 'legitimate interest'.
Organizations must report data breaches to the relevant supervisory authorities within 72 hours if the breach is likely to put at risk the rights and freedoms of individuals.
These include the right to access their data free of charge and without delay; the right to have errors corrected ('rectification'); the right to have their data erased (‘the right to be forgotten’); the right to have it transferred to a different service provider in a structured, machine readable format ('data portability'); and the right to be informed about how their data is used.