What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive set of data protection rules. The aim of the legislation is to provide the same high level of data protection for EU residents in all EU countries with a unified legal framework across all member states. In contrast to the previous legislation, which was only a directive to be adopted by national legislation to be effective, the GDPR is immediately binding for and applicable in all European member states. The GDPR requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against data loss or exposure.
Who is affected by the GDPR?
The GDPR has a broad territorial scope. It applies not only to all organisations established in the EU that process personal data, but also to any non-EU established organisation that process personal data of individuals who are in the EU in order to: a. offer them goods or services, irrespective of whether a payment is required; b. monitor their behaviour within the EU.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (‘data subject’); such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Organisations should take measures to minimise the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.
What is data minimisations?
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Data minimisation means that an organisation should only process the personal data that it needs to process in order to achieve its processing purposes. In practice, this requires organisations to reduce the collection of personal data to the strictly necessary and to implement permission and access control protocols and tools limiting access to information only to those people who need it within the organisation.
What are the sanctions and liabilities if a company doesn’t comply?
Data controllers and data processors face severe consequences if they do not comply with the European rules. Depending on the infringed provision of the GDPR, fines may amount to a maximum of EUR 20 million, or, 4% of global annual turnover of the controller, whichever is bigger. Moreover, both controller and processors are subject to joint liability for damages.
Get Started with Tresorit and perform a Transfer Impact Assessment
Tresorit publishes a lot of data so that you can perform a Transfer Impact Assessment.
See our page on Technical and Organisational Measures
Still have questions left? Drop us a line