GDPR is short for General Data Protection Regulation, a set of laws on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). GDPR is in power since 25th of May, 2018 and it also addresses the transfer of personal data outside the EU and EEA areas. It encourages businesses to act responsibly with an individual’s data. At the same time it provides a good framework for businesses to standardize and regulate real-world security and privacy needs of personal data used for business purposes.
Among others, GDPR includes:
- The right to know what data a company holds about you
- The right to be forgotten
- Notification of data breaches within 72h
- Clear responsibility for companies to gain consent for customer information
- Stricter regulations regarding contacting customers and sharing contact details with third parties
With GDPR, EU residents benefit from significant improvements to their privacy rights and better control over their personal data. Every organisation that collects, and processes personal data of EU residents is concerned, even if they are not based in Europe.
GDPR sets forth fines of up to 20 million euros, or up to 4% of its company’s global turnover of the preceding fiscal year, whichever is higher.
GDPR requires businesses to operate under the following key principles:
Organization collecting personal data must be clear as to why data is being collected and what it will be used for.
Organizations can collect data, only for the purpose it needs it. That is, data collected cannot be further processed in a manner incompatible with the purpose.
Ensure data captured is adequate, relevant and limited to a minimum amount of data required for the purpose of processing it.
Organizations must institute processes and policies to address that the data they store and process remains accurate, valid and fit for purpose.
Organizations must enforce retention policies, and prevent unauthorised movement and storage of data.
Every organization collecting and processing data is solely responsible for implementing appropriate security measures to protect users personal data.
Organizations must demonstrate adoption of necessary steps to protect user’s personal data, and be able to show steps within the GDPR strategy as evidence.