EU General Data Protection Regulation

What is GDPR, and why is everybody talking about it? The General Data Protection Regulation (GDPR) aims to offer EU citizens a uniform and harmonized approach towards privacy in the European Union, and seeks to strengthen people’s rights to data protection as set out in Article 8 of the EU Charter of Fundamental Rights. After almost four years of deliberation and debate, the GDPR was finally approved by the EU Parliament on April 14, 2016. Although the document became valid 20 days after the approval date, the enforcement date was established as May 25, 2018. It might seem like a lot of time to prepare, but the truth is that there are lots of things to be done, due to some important changes. In this article, you can find GDPR explained.

Principles

Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Data subject refers to individuals who live in the EU and who have had their data collected, held, or otherwise processed by a data protection officer, controller, or another processor.
Data controllers are the entities responsible for defining the lawful basis for data collection and the processing of personal data related to data subjects.
Data processors work with the data controller and process data.
Data processing means regular and systematic monitoring or operations performed on sets of personal data. This can include automated processing or manual.
Personal data means any data, whether large scale or not, related to the data subject. The data here must be able to identify the individual due to it relating to a name, photos, bank statements or an email address.
Consent in this context means the necessity of obtaining the consent of the data subject to process data. The organisation must provide data subjects with an option to give consent and it must be a “freely given, specific, informed and unambiguous indication”.