GDPR stands for General Data Protection Regulation; it is a new EU regulation coming into effect on the 25th May 2018. GDPR replaces the 1995 EU Data Protection Directive. As opposed to EU Directives, which are implemented individually by each member state, EU Regulations apply at once in all member states. However, the impact of this new law reaches far beyond EU borders.
GDPR introduces a series of new measures aimed to offer improved data privacy and protection for all European Union residents. This has far-reaching implications as it affects not only EU organisations, but also organisations from other countries that collect or process data from EU residents. It also imposes severe penalties for breaches and non-compliance of up to €20M or 4% of global annual turnover.
GDPR also addresses the transfer of personal data from the EU to third-party countries, like the United States. The provisions on cross-border data sharing do not radically change from the regulations previously in place under data protection directives. GDPR does not contain any specific requirement to enforce that personal data of EU residents should reside in an EU member state. However, it includes conditions that must be met before this transfer can occur, including adequacy of data protection measures.
GDPR has six fundamental principles related to Personal Data:
- It should be processed lawfully, fairly and transparently.
- It should be collected for specified, explicit and legitimate business purposes.
- It should be adequate, relevant and limited to what is necessary.
- It should be accurate and, where necessary, kept up to date.
- It should be retained only for as long as necessary.
- It should be processed appropriately to maintain security.