The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
The regulation applies if the data controller, or processor or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. Some of the features of GDPR are as follows.
Lawful basis for processing:
Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. They include:
- For the legitimate interests of a data controller or a third party, unless these interests are overridden by the Charter of Fundamental Rights (especially in the case of children).
- To perform a task in the public interest or in official authority.
- To comply with a data controller’s legal obligations.
- To fulfill contractual obligations with a data subject.
- To perform tasks at the request of a data subject who is in the process of entering into a contract with a data controller.
- To protect the vital interests of a data subject or another person.
Responsibility and accountability:
Data protection by design and by default:
The GDPR refers to pseudonymisation as a process that is required when data is stored (as an alternative to the other option of complete data anonymisation) to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.
Right of access:
Right to erasure:
Records of processing activities:
Data protection officer: