The General Data Protection Regulation (GDPR) is a privacy and security law passed by the European Union (EU) in May of 2018. It applies to any organization that manages and processes data relating to people in the EU in any capacity, regardless of where the organization is based or operates.
GDPR compliance has become a focal point for businesses around the world, since non-compliance with any of its various privacy and security standards can lead to hefty fines and penalties.
The GDPR’s goal of implementing personal data protections that were comprehensive and could keep up with the expansion of modern technology. An expansion that spread exponentially in recent years with the developments of the internet.
Requirements for Organizations
A company that processes any personal data relating to individuals in the EU, whether its managing documentation or providing goods and services, is subject to the GDPR. Moreover, an organization must be able to prove its compliance with the regulation, not only know it is in compliance, but also demonstrate how it is in compliance.
The GDPR data principles include:
- Processing must be lawful, fair, and transparent.
- Organizations must adhere to a purpose limitation, and may only process data for specific and legitimate purposes that have been explained in clear terms to the individual before processing.
- All processing must be carried out in the interest of data minimization, collecting and processing no more data than is necessary for the specified purpose.
- Organizations must maintain the accuracy of all data within its control, and keep up to date documentation of all processing activities.
- Organizations must adhere to strict storage limitations, and may only store personal data for as long as is appropriate for the specified purposes of processing.
- All actions must be performed in the interest of integrity and confidentiality, ensuring all personal data in an organization’s control is ultimately secure, and encrypted when necessary.
- Organizations must accept accountability and are responsible for being in compliance with all the above principles.
The full GDPR rights for individuals are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling.