The General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a regulation introduced by the European Union to set a new standard to protect the personal data of its citizens and residents. This regulation aims to give more rights to the individual to be in control of their personal data, as well as greater transparency on how this data is collected and processed, to prevent unauthorized use of, or access to, that data. Despite being an EU regulation, it applies to any businesses or organizations (data controllers and data processors) that collect, process, hold, or transfer personal data of individuals who are citizens of, or residing in, the European Union, regardless of where the business or organization itself is located.
Compliance with the GDPR was mandatory as of May 25, 2018.
Key concepts and definitions
The concepts and definitions outlined here, unless referenced as direct quotations from the regulation text,
Personal data
In the regulation, personal data is defined as "[...] any information relating to an identified or identifiable natural person ('data subject') [...] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [...]"1.
"Right to access personal data"1
The GDPR gives individuals the right to obtain information from the data controller and data processor if personal data concerning them is being kept and/or processed and request access to that personal data. The data processor must provide this information, free of charge, within a month of receipt of the request.
"Right to erasure - 'right to be forgotten'"1
An individual may request that their personal data be erased if: the processed data is incorrect, fails to satisfy the requirements of the GDPR, the individual withdraws consent of processing, or if the data is no longer necessary for the purpose for which it was collected or processed.
"Right to restriction of processing"1
An individual may restrict the data that is processed if e.g. they contest the accuracy of the personal data, the data is being processed unlawfully, or if the data is no longer necessary for processing but must be retained for legal reasons. In this case the data controller may only store this data, but cannot further process data without the individual's consent.
"Right to data portability"1
The GDPR guarantees the right of a data subject to receive data connected to them, that is stored or processed, and personal data that they supplied, in a structured, common, and machine-readable format.
"Data protection by design and by default"1
An individual's personal data must only be processed if it is necessary for a specific purpose, and the data must be protected by means of adequate technical and organizational measures. Data protection principles must be implemented effectively when processing the data, and the required safeguards must be implemented.
"Security of processing"1
To ensure a security level that is adequate to mitigate the risk, the data controller and data processor must implement adequate technical and organizational measures; these include e.g. the pseudonymisation and encryption of personal data.
Security breach communication framework
In case of a breach, data controllers and data processors are required to report this breach. Data processors must report the breach to data controllers without undue delay, who must in turn report this to their supervisory authority within 72 hours of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.