GDPR is short for General Data Protection Regulation, a set of laws on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). GDPR is in power since 25th of May, 2018 and it also addresses the transfer of personal data outside the EU and EEA areas. It encourages businesses to act responsibly with an individual’s data. At the same time it provides a good framework for businesses to standardize and regulate real-world security and privacy needs of personal data used for business purposes.

Among others, GDPR includes:

  • The right to know what data a company holds about you 
  • The right to be forgotten
  • Notification of data breaches within 72h
  • Clear responsibility for companies to gain consent for customer information 
  • Stricter regulations regarding contacting customers and sharing contact details with third parties

With GDPR, EU residents benefit from significant improvements to their privacy rights and better control over their personal data. Every organization that collects, and processes personal data of EU residents is concerned, even if they are not based in Europe. 

GDPR sets forth fines of up to 20 million euros, or up to 4% of its company’s global turnover of the preceding fiscal year, whichever is higher. 

GDPR requires businesses to operate under the following key principles:

Lawfulness, fairness, and transparency
The organization collecting personal data must be clear as to why data is being collected and what it will be used for.

Purpose limitation
Organizations can collect data, only for the purpose, it needs it. That is, data collected cannot be further processed in a manner incompatible with the purpose.

Data minimization
Ensure data captured is adequate, relevant, and limited to a minimum amount of data required for the purpose of processing it.

Organizations must institute processes and policies to address that the data they store and process remains accurate, valid, and fit for purpose.

Storage limitation
Organizations must enforce retention policies, and prevent unauthorized movement and storage of data.

Integrity and confidentiality (security)
Every organization collecting and processing data is solely responsible for implementing appropriate security measures to protect users personal data.

Organizations must demonstrate adoption of necessary steps to protect user’s personal data, and be able to show steps within the GDPR strategy as evidence.

GDPR compliance
Wellsome is fully GDPR-compliant and follows strategic Privacy by Design principles — developed together with Jason Cronk, a principal privacy consultant with Enterprivacy Consulting Group and an author of the book Strategic Privacy by Design.