What is GDPR?

What is GDPR?

The EU General Data Protection Regulation (GDPR), (Regulation (EU) 2016/679), is an important data privacy regulation coming to the European Union (EU). GDPR was approved in April 2016 and replaces Data Protection Directive 95/46/EC. The change takes effect on May 25, 2018. GDPR is a regulation, not a directive.

The regulation defines data subjects, data controllers, data processors. “Data subjects” are natural persons residing within the EU. A data controller is an organization, like Facebook, that collects data from EU residents. The data controller determines the purposes, conditions, and methods of the data processing. A data processor, like Amazon Cloud Services, is a company that processes personal data on behalf of the controller. GDPR applies if the data controller, data processor, or the person from which data collected reside with the EU.

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

The goal is the regulation is to protect the data privacy of European Union citizens. Terms of use and data opt-in language must be easy to understand. It must be as easy to opt-in to data consent as it is to opt-out. In other words, websites, social media channels, and other data controllers can no longer use deceptive language and practices to access people’s personal data.

Who does the GDPR affect?

GDPR applies to all companies processing and holding the personal data of a natural person residing in the European Union.

  • GDPR applies to organizations located within the EU
  • GDPR also applies to organizations outside of the EU if they offer goods or services to, or monitor the behavior of, EU people

According to the official EUGDPR website:

“Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.”