The GDPR - What Is It About

The General Data Protection Regulation (vernacularly the GDPR) is a new legislation imposed by the EU, which applies to the use of personal data. The GDPR will enter into force in May 2018.

What Is the Purpose of the GDPR?

The GDPR is a step forward in ensuring transparency in handling of data. The new regulation shall apply to any business, whether or not it is based in an EU country and which processes the data of EU citizens. It is primarily about protecting individuals’ personal details and the aim of the GDPR is to give EU citizens the control over their personal data and change the approach of organizations across the world towards data privacy. Thus, the GDPR enshrines a wide range of existing and new rights for individuals in respect of their personal data. Accordingly, this means strengthening individuals’ rights of controlling the use of their personal data.

Which Information Is Personal Data?

Personal data refers to any information from which a natural person can be directly or indirectly identified. It does not matter whether the information relates to an individual in person or in the context of professional or public life.

Examples of Personal Data:

  • a name
  • a photo
  • an email address
  • voice or bank details

The GDPR’s Different Requirements to Various Stakeholders

For organizations such as companies, public entities and communities, the GDPR means a demand of increasing and tightening obligations and requirements when they process personal data. The organizations have to ensure their ability to comply with the GDPR. For example, it may be necessary to develop formatting capabilities to meet access requests.

What Do Organizations Have to Do in Practice?

  • Take more proactive approach towards management of personal data
  • Determine what data their business possesses
  • Ascertain how and where the data are retained
  • Set legally defensible policies for how the data will be collected, managed, and destroyed
  • Include data protection considerations in the core of their business activities
  • Protect any personal data in their possession
  • Implement appropriate protection measures taking into account the risk level the processing may cause for individuals etc.