GDPR (General Data Protection Regulation)
The EU's comprehensive data protection law (Regulation (EU) 2016/679) that governs how personal data is collected, processed, and stored. GDPR applies to any organization processing EU residents' personal data, regardless of the organization's location. Understanding GDPR is crucial for any business operating in or with the European Union.
What is GDPR?
GDPR protects personal data of EU citizens and establishes a framework for data protection and privacy rights, giving individuals control over their personal information.
Who does it apply to?
Any organization that processes personal data of EU residents, regardless of location. This includes companies outside the EU that offer goods or services to EU residents or monitor their behavior. Both data controllers and data processors are subject to GDPR requirements.
Lawfulness, Fairness, and Transparency
Data processing must be lawful, fair, and transparent to the data subject.
Purpose Limitation
Data collection must have explicit, specific, and legitimate purposes.
Data Minimization
Collected data should be limited to what is necessary for the intended purpose.
Accuracy
Personal data must be accurate and kept up to date when necessary.
Storage Limitation
Personal data should not be stored longer than necessary.
Integrity and Confidentiality
Personal data must be secured through appropriate technical and organizational measures.
Accountability
Data controllers must be able to demonstrate compliance with GDPR.
Right to be Informed
The right to know how their data is collected and used.
Right of Access
The right to obtain a copy of their personal data.
Right to Rectification
The right to request correction of inaccurate or incomplete personal data.
Right to Erasure (Right to be Forgotten)
The right to request deletion of their personal data in specific circumstances.
Right to Data Portability
The right to receive their personal data in a structured, commonly used format.
Right to Object
The right to object to processing of their personal data in certain circumstances.
1. Legal Basis for Processing
You must have a legal basis for processing personal data:
- Consent (freely given, specific, informed, and unambiguous)
- Contract performance
- Legal obligation
- Vital interests
- Public task
- Legitimate interests (with balancing test)
Reference: GDPR Article 6
2. Data Breach Notification
Data breaches must be reported to supervisory authorities within 72 hours of discovery.
Reference: GDPR Article 33
3. Privacy by Design
Data protection must be built into systems and processes from the start.
Reference: GDPR Article 25
GDPR violations can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher. Supervisory authorities can also issue warnings, reprimands, and temporary or permanent bans on data processing.
Reference: GDPR Article 83
Data Audit & Inventory
Conduct comprehensive data mapping to identify all personal data processing activities, data flows, and third-party relationships.
Legal Basis Documentation
Establish and document legal basis for each processing activity, including legitimate interest assessments where applicable.
Privacy Notices & Transparency
Update privacy policies and notices to meet GDPR requirements, ensuring clear communication of data subject rights.
Security & Technical Measures
Implement appropriate technical and organizational security measures, including encryption and access controls.
Staff Training & Awareness
Train staff on GDPR requirements and data protection practices, including breach response procedures.
Data Subject Rights Procedures
Establish procedures to handle data subject requests (access, rectification, erasure, portability) within required timeframes.
No related regulations available
EUR-Lex: Regulation (EU) 2016/679
Official guidance and interpretations
UK Information Commissioner's Office guidance