The General Data Protection Regulation (GDPR) is legislation that updated and unified data privacy laws across the European Union (EU). GDPR was approved by the European Parliament on April 14, 2016 and went into effect on May 25, 2018.
GDPR replaces the EU Data Protection Directive of 1995. The new directive focuses on keeping businesses more transparent and expanding the privacy rights of data subjects. When a serious data breach has been detected, the company is required by the GDPR to notify all affected people and the supervising authority within 72 hours. Mandates in the GDPR apply to all data produced by EU citizens, whether or not the company collecting the data in question is located within the EU, as well as all people whose data is stored within the EU, whether or not they are actually EU citizens. The GDPR also defines penalties for noncompliance.
What is the purpose of GDPR?
The purpose of the GDPR is to protect individuals and the data that describes them and to ensure the organizations that collect that data do so in responsible manner. The GDPR also mandates that personal data is maintained safely; in part, the regulation says personal data must be protected against “unauthorized or unlawful processing, and against accidental loss, destruction or damage.”
Reasons for collecting personal data are also defined in the GDPR; the data that’s collected must be for a specific and legitimate purpose and shouldn’t be used in any way beyond that intention. The regulation also suggests limits on how much data is collected, saying that data collection should be “limited to what is necessary in relation to the purposes for which they are processed.”
The GDPR further states that the organization collecting data should ensure it’s accurate and updated as necessary.
Under GDPR, companies can’t legally process any person’s personally identifiable information (PII) without meeting at least one of the following six conditions.
- express consent of the data subject.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
What data does GDPR protect?
Users must give consent to any company or organization that wishes to collect and use personal data. As defined by the GDPR, personal data is information that relates to “an identified or identifiable natural person” — referred to as a “data subject.”
Personal data can include these types of information:
- Identification number
- Location data
- Any information that is specific to “the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
- Biometric data that is acquired through some form of technical process, such as facial imaging or fingerprinting
- Information related to a person’s health or healthcare
- Racial or ethnic information of an individual
- Political opinions or religious beliefs
- Union membership
7 principles of GDPR
The GDPR lays out seven basic principles on which it bases its regulations and rules of compliance related to personal data:
- Lawfulness, fairness and transparency. Data subject must be clearly informed about how their data will be used.
- Purpose limitation. Data can be collected only for specific purposes.
- Data minimization. The amount of data collected is limited to what is necessary for specific processing.
- Organizations collecting data must ensure its accuracy and update it as necessary. Data must be deleted or changed when a data subject makes such a request.
- Storage limitation. Collected data won’t be retained longer than needed.
- Integrity and confidentiality. Appropriate protection measures must be applied to personal data to ensure it’s secure and protected against theft or unauthorized use.
- Data collectors are responsible for ensuring compliance with the GDPR.
The seven principles of the GDPR underlie specific data subject rights, including:
- Right to be forgotten. Data subjects can request PII to be erased from a company’s storage. The company has the right to refuse requests if it can successfully demonstrate a legal basis for their refusal.
- Right of access. Data subjects can review the data an organization has stored about them.
- Right to object. Data subjects can refuse permission for a company to use or process the subject’s personal data. The company can ignore the refusal if it can satisfy one of the legal conditions for processing the subject’s personal data but must notify the subject and explain the reasoning behind doing so.
- Right to rectification. Data subjects can expect inaccurate personal information to be corrected.
- Right of portability. Data subjects can access the personal data a company has about them and transfer it.