GDRP

The General Data Protection Regulation (GDPR) is a European Union (EU) law that protects the privacy and security of personal data. The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:

Personal data —?Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

Data processing —?Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.

Data subject —?The person whose data is processed. These are your customers or site visitors.

Data controller —?The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.

Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. These could include cloud servers, like Google Drive, Porton Drive or Microsoft Onedrive or email service providers, like Proton Mail.

• New to the GDPR: Same law throughout Europe.?The GDPR applies in all EU Member states, which makes it easier for both businesses and citizens.
• Use personal data must in line with integrity friendly principles.?For example,?processing?must have a defined purpose. Thus, you cannot collect personal information “just in case” you might need it later. Be honest, open and transparent about how you use data. That is to say, individuals have a right to know how their data is being used, and they must have a say in this matter. Organizations must only store personal data as long as it is necessary. Additionally, the processing must be safe and secure. Organizations must have and maintain the proper documentation that shows that they comply with the regulations.
• Use of personal data must be legal.?The GDPR sets out six alternatives to the legal basis (for example consent?or contract). If your processing is not based on any of those, it is not lawful. It might be necessary to process personal data for the performance of a contract. It could also be necessary to use personal data to prevent fraud and perform marketing.

The main practical implications

The summary of the GDPR is that the law establishes obligations for businesses and provides rights for citizens. Businesses are wise to update or establish their data protection compliance programmed. Here are some examples of to-dos:

• Inform citizens and customers of your activities in a transparent manner.?The individuals whose personal data you process (data subjects) must?be informed?of your processing.?To this end, organizations use Privacy Notices and various Privacy Policies on websites, as part of service agreements etc.
• Assign a Data Protection Officer (DPO) to your organisation who should work as the main operator and the expert on your organisations’ privacy work. The DPO should be reported to the responsible data protection authority in the country your organisation is established. The rules regarding DPO is stated in article 37-39 GDPR.