The General Data Protection Regulation (GDPR) is the European Union regulation on data protection and privacy. It strengthens and replaces all pre-existing data protection laws within the European Union (EU) and the European Economic Area (EEA). All companies and administrations processing personal data of European citizens are affected. It has been applicable since May 25, 2018.
The extra-territorial nature of the GDPR regulation extends its scope to all companies outside the European Union that process the confidentiality data of EU residents. Organizations that do not comply with GDPR regulations are exposed to reputational risks as well as the risk of sanctions (administrative, civil or criminal), with penalties of up to 4% of the annual global turnover of the company or up to € 20 million and € 1,500,000 per legal person.
The full text of the rules can be downloaded from this link.
Its purpose is to standardize and improve the protection of personal data. Its first objective is to return control of personal data to EU citizens and residents, while imposing significant sanctions in the event of non-compliance (up to 20 million euros or 4% of annual turnover global total). The GDPR considerably increases the existing data protection requirements by extending the territorial scope, the rights of individuals and the specific obligations of institutions.
From a practical point of view, the GDPR obliges organizations that process data of European citizens to implement the following obligations towards their organizations and processes:
Appointment of a data protection officer (DPO)
Establishment of a register of data processing activities
Securing the rights of data subjects for employees and suppliers
Report data breaches to regulators
Perform a data protection impact analysis (DPIA) for the most sensitive assets
The key principles at the heart of the GDPR embody the general spirit of the data protection regime. Respecting the spirit of these key principles is a fundamental element of good data protection practices. It is also a key to your compliance with the detailed provisions of the GDPR.
Address the main concepts of the GDPR by continuing on: