The European Union's new data privacy and security law contain hundreds of pages of new requirements for organisations worldwide.
FREMONT, CA: The General Data Protection Regulation (GDPR) is the world's most stringent privacy and security law. While it was drafted and adopted by the European Union (EU), it imposes obligations on organisations worldwide that target or collect data about EU citizens. On May 25, 2018, the regulation became effective. The GDPR imposes severe penalties on those who violate its privacy and security standards, with fines potentially reaching tens of millions of euros.
The GDPR demonstrates Europe's commitment to data privacy and security at a time when more people entrust their data to cloud services and data breaches occur daily. GDPR compliance is a daunting prospect, particularly for small and medium-sized businesses, due to the regulation's size, breadth, and relative lack of specifics (SMEs).
The GDPR's History
The 1950 European Convention on Human Rights states that "everyone has the right to respect for his or her private and family life, his or her home, and his or her correspondence."
As technology advanced, the EU recognised the need for current protections. Hence, the European Data Protection Directive of 1995 established minimum data privacy and security standards for member states to implement. However, the Internet was already evolving into a data hoover. The first banner ad appeared in 1994. In 2000, most financial institutions offered online banking. Facebook went public in 2006. A Google user sued the company in 2011 for snooping on her emails. Europe's data protection authority declared that the EU needed a "comprehensive approach to personal data protection" two months later.
The GDPR went into effect in 2016, with all organisations required to comply by May 25, 2018.
The GDPR defines a large number of legal terms in detail. Listed below are a few of the most significant ones.
Personal data: Personal data refers to any information related to an identifiable individual, either directly or indirectly. Naturally, names and email addresses are regarded to be personal data. Personal data may include location information, ethnic origin, gender, biometric data, religious beliefs, web cookies, and political opinions.
Data processing: Any action performed on data, whether automated or manual, is considered data processing. The text provides examples of essentially collecting, recording, organizing, structuring, storing, using, and erasing anything.
Data subject: The data subject is the individual whose data is being processed. These are your customers or visitors to your website.
Data controller: The data controller is the individual who determines the purpose and manner in which personal data will be processed.
Data processor: The term "data processor" refers to a third party that processes personal data on behalf of the data controller. They could be cloud computing platforms such as Tresorit or email service providers such as ProtonMail. Special provisions of the GDPR apply to these individuals and organisations.