What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that requires companies to provide protection, transparency, and accountability for EU citizen’s personal data. The GDPR became effective on May 25, 2018. While the law applies to 27 Member States of the EU, the obligations set by the GDPR apply to companies that process the personal data of EU residents, whether that company itself is based in the EU or not.
The GDPR modernizes the principles from the EU's 1995 Data Protection Directive and applies to personal data of EU residents. Financial penalties for non-compliance reach up to USD $24M, or 4% percent of worldwide annual turnover, whichever is higher.
Scope of GDPR
The GDPR applies to companies that are:
- established in the EU and processes personal data
- established outside of the EU, but offers goods and services to EU citizens and residents
Key data definitions under the GDPR
As covered under GDPR Article 4, the law defines the following data-related terms:
- Personal data - information relating to an identified or identifiable data subject
- Genetic data - personal data relating to the genetic characteristics of a data subject
- Biometric data - personal data relating to the physical, physiological or behavioral characteristics of a data subject
- Data concerning health - personal data relating to the physical or mental health of a data subject
Under GDPR Article 9, the law explicitly lays out guidelines for processing “special categories” of personal data. Special categories of personal data include data about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, sex life and sexual orientation.
Key personal data processing principles
GDPR Article 5 focuses on the compliance principles for processing personal data:
- Lawfulness, fairness, and transparency – the processing of personal data should be done lawfully, fairly, and in a transparent manner
- Purpose limitation – process personal data for specified purposes and not for reasons incompatible with the initial purposes
- Data minimization – collect only what is necessary for fulfilling a legitimate purpose
- Accuracy – ensure that personal data is accurate, kept up to date, and that inaccuracies are addressed without delay
- Storage limitation – store personal data for no longer than what is necessary
- Integrity and confidentiality – ensure that appropriate security measures are applied to personal data to prevent unauthorized processing or loss of data
- Accountability – assume responsibility and demonstrate compliance for protecting personal data
Data subject rights
GDPR Articles 12 to 21 list out rights provided to data subjects that companies must comply with. Here are a few examples:
For information about how Cyera can help your company comply with GDPR’s data processing principles and ensure readiness for addressing data subject rights, read this blog.