The General Data Protection Regulation (GDPR) is an European Union law that, as of 25 May 25 2018, all organizations are required to be compliant.
It sets out detailed requirements for companies and organisations on collecting, storing, and managing personal data.
It applies to both European organisations that process personal data of individuals in the European Union (EU) territory, and to companies and organisations outside the EU that target people living in the EU.
Stronger rules on data protection under GDPR means:
- people have more control over their personal data
- businesses benefit from a level playing field
The type and amount of personal data a company or organisation may process depends on the reason for processing it (legal reason used) and the intended use:
- lawfulness, fairness and transparency: personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed;
- purpose limitation: there must be specific purposes for processing the data and the company or organisation must indicate those purposes to individuals when collecting their personal data. A company or organisation cannot simply collect personal data for undefined purposes;
- data minimisation: the company or organisation must collect and process only the personal data that is necessary to fulfill that purpose
- accuracy: the company or organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not;
- compatibility: the company or organisation cannot further use the personal data for other purposes that are not compatible with the original purpose;
- storage limitation: the company or organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected;
- integrity and confidentiality: the company or organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.
A company or organisation must clearly provide individuals with information on:
- right of access by the data subject;
- right to rectification;
- right to erasure ('right to be forgotten');
- right to restriction of processing;
- notification obligation regarding rectification or erasure of personal data or restriction of processing;
- right to data portability;
- right to object;
- automated decision-making, including profiling.
In 2016, the GDPR entered into force after it overwhelming passed the European Parliament by majority and unified the EU under a single data protection regime.
It also empowered member state-level data protection authorities to enforce the GDPR with sanctions and fines.
Create a free account to discover insights and learn business failures.
Last edited on 27 November 2019.