What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive set of data protection rules. The aim of the legislation is to provide the same high level of data protection for EU residents in all EU countries with a unified legal framework across all member states. In contrast to the previous legislation, which was only a directive to be adopted by national legislation to be effective, the GDPR is immediately binding for and applicable in all European member states. The GDPR requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against data loss or exposure.
Who is affected by the GDPR?
The GDPR has a broad territorial scope. It applies not only to all organizations established in the EU that process personal data, but also to any non-EU established organization that process personal data of individuals who are in the EU in order to: a. offer them goods or services, irrespective of whether a payment is required; b. monitor their behavior within the EU.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (‘data subject’); such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Organizations should take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.
What is data minimization?
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Data minimization means that an organization should only process the personal data that it needs to process in order to achieve its processing purposes. In practice, this requires organizations to reduce the collection of personal data to the strictly necessary and to implement permission and access control protocols and tools limiting access to information only to those people who need it within the organization.
What are the sanctions and liabilities if a company doesn’t comply?
Data controllers and data processors face severe consequences if they do not comply with the European rules. Depending on the infringed provision of the GDPR, fines may amount to a maximum of EUR 20 million, or, 4% of global annual turnover of the controller, whichever is bigger. Moreover, both controller and processors are subject to joint liability for damages.
Still have questions left? Drop us a line