Stands for "General Data Protection Regulation." GDPR, also known as Regulation (EU) 2016/679, is a European Union law drafted on April 27, 2016 and instituted on May 25, 2018. It replaces the EU Data Protection Directive, which was adopted in 1995. The primary purpose of GDPR is to protect the personal data of residents of countries within the European Union (EU).
The 88-page GDPR document begins by stating the protection of people in regards to their personal data is a fundamental human right. The rules and guidelines within the General Data Protection Regulation are designed to support this premise. It states that all data controllers (organizations that collect and store user data) must protect the data, give users access to the data, and make the data easily transferrable.
GDPR updates the previous Data Protection Directive to be relevant to modern times and technologies. For example:
- Regulation 42 states that data processors (such as websites) must make their identity clear and ask users for consent before storing their data.
- Regulation 49 bans malicious activity in regards to data, such as hacking and denial of service attacks.
- Regulation 83 states that data controllers and processors should mitigate security risks by using encryption.
- Article 33.1 requires organizations to inform their users within 72 hours of when a data breach has been discovered.
To Whom Does GDPR Apply?
The GDPR guidelines must be followed by all public and private companies and organizations within the EU. Fines and penalties may be assessed to entities that do not conform to the regulations. While GDPR is commonly associated with IT industries, such as e-commerce websites and cloud services, it applies to all EU organizations that store personal data. Examples include health care services, law firms, educational institutions, scientific research firms, and government entities.
While GDPR is enforceable within the European Union, it also applies to companies and organizations outside the EU that do business with EU residents. For example, if a U.S.-based company stores data for individuals living in Sweden, it must conform to the GDPR regulations. On the consumer side, GDPR protects both EU citizens and people who live and work in the EU. The rules apply to individuals engaged in business transactions, but they do not apply to personal or household activities.