GDPR
Data ProtectionDefinition
EU regulation governing personal data handling, emphasizing transparency and user rights.
Technical Details
The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union that came into effect on May 25, 2018. It replaces the Data Protection Directive 95/46/EC and is designed to give individuals more control over their personal data. GDPR applies to any organization that processes personal data of EU residents, regardless of whether the organization is based in the EU or not. Key technical elements include principles of data processing (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality), rights of individuals (such as the right to access, rectification, erasure, and data portability), and requirements for data breach notifications. Organizations must also implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Practical Usage
In practical terms, GDPR mandates that organizations must obtain explicit consent from users before processing their personal data. They must also provide clear information about how that data will be used and allow users to withdraw consent at any time. Companies often implement privacy policies, conduct data protection impact assessments (DPIAs), and appoint Data Protection Officers (DPOs) to ensure compliance. For example, businesses may need to adjust their data collection methods, update their privacy notices, and implement secure data storage solutions to comply with GDPR requirements. Non-compliance can result in significant fines, which can be up to 4% of annual global turnover or €20 million, whichever is greater.
Examples
- A company collects email addresses for a newsletter subscription and must provide clear information on how the data will be used, allow users to opt-in, and offer an easy way to unsubscribe.
- An online retailer must ensure that it has the user's consent before processing their personal data for targeted marketing and must allow users to access their data and request deletion if they choose.
- A social media platform must implement features that allow users to download their data and transfer it to another service provider, adhering to the data portability requirement under GDPR.