General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) outlines rules relating to the protection of personal data and privacy of individuals living in the European Union (EU).  Although it is for the protection of individuals living in the EU, GDPR applies to any organization, regardless of location, that processes personal data of individuals inside the European Economic Area (EEA). 

• Controller - a person or company that determines the purposes for which and the means by which personal data is processed 
• Data Subject - any person (residing in the EU, regardless of nationality) whose personal data is being collected, held or processed 
• European Economic Area (EEA) - The EEA is an institutional agreement which enables the extension of the EU's single market to non-EU member parties
• European Union (EU) - The European Union is a political and economic union of 27 member states that are primarily located in Europe
• Personal Data - any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
• Personal Data Breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed
• Processor - the person or company which processes personal data on behalf of the controller. 
• Processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction

Data Protection Requirements

GDPR requires significant data protection safeguards be in place, and imposes a number of obligations for organizations.  These include: 

• Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists
• Minimize the collection and processing of personal data when possible
• Protect any personal data that the organization collects and/or uses
• Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks, and continuously monitor the risks and the mitigation for change
• Have a breach of notification policy, and notify authorities within 72 hours of learning of the breach 

Rights of Data Subjects

GDPR gives data subjects in the EU rights over how their personal data is collected, processed, and transferred by organizations. Under GDPR, EU data subject rights include: 

• Access to any data that an organization has collected about the individual
• Knowledge as to why an organization is processing the individual's personal data and the categories of personal data that an organization processes
• Correction of any errors in personal data collected or processed by an organization
• Knowledge of how long an organization will store the individual's personal data 
• Under certain circumstances, the data subject can require the organization to permanently delete the individual's personal data