The General Data Protection Regulation (GDPR) is one of the most stringent privacy and security laws in the world. Although drafted and approved by the European Union, the regulation imposes obligations on organizations regardless of where they operate, as long as they target or collect data on people in the EU. The regulation came into effect on May 25, 2018. GDPR charges fines against those who violate its privacy and security standards, with sanctions amounting to tens of millions of euros.

What is GDPR?

The GDPR (General Data Protection Regulation) is a law for European Union data protection and privacy legislation in the EU and the EEA and the transfer of personal data outside the EU and the EEA. The main purpose of the GDPR is to provide individuals with control over their personal data and to simplify the regulatory environment for international affairs by unifying privacy laws in the European Union. The regulation is mandatory and all organizations that hold or process personal data must comply.

The rules entered into force on May 25th, 2018 and were reflected in the 2018 Data Protection Act. The regulation applies to both “operators” and “data processors” and covers old rules that have been consolidated, as well as a number of new rights for data subjects.

What is personal data?

Personal data is data that refers to a person who can be identified directly or indirectly, and that are:

  • electronically processed;
  • kept in archives;
  • part of an accessible set of information, for example educational information;
  • held by a public authority;
  • not necessarily person specific, but that lead to their identification;
  • Examples: name, e-mail addresses, location, religion, ethnicity, gender, data stored in web cookies, IPs, political opinions, biometric data, etc.

GDPR principles

Personal data should be processed fairly, legally and transparently.

  • Data should be collected for defined and legitimate purposes and should not be processed further in a manner incompatible with those purposes.
  • The data should not be excessive, processing only as much data as is absolutely necessary.
  • The data must be correct and, if necessary, updated.
  • Data should not be stored longer than necessary.
  • Data must be kept secure.
  • Managers are responsible for the type of personal data they collect and how they use it. Employees should not disclose personal data outside the organization's procedures or use personal data held by others for their own purposes.

To whom does the GDPR apply?

The GDPR applies to any organization operating in the EU, as well as to any non-EU organization providing goods or services to EU customers or businesses. This includes any website that is collecting directly, for their own purpose, or, indirectly, for third party apps and tools (e.g. Google Analytics) data about their visitors.

A person who has data about another person on a personal level, such as the phone number of a family member stored in a phone, will not have to consider the GDPR for that data.