The GDPR stands for The General Data Protection Regulation, a regulation from the European Union that is intended to increase privacy and protect the data of all individuals within the EU.
While the GDPR definition is primarily concerned with the European Union, it does have an effect on companies and countries outside of the union if they ever come in contact with European data. Increasing GDPR compliance will help allow citizens and residents further control over their personal data and legislators to simply the regulatory environment for international businesses by unifying the rules.
The GDPR requirements were detailed on April 14, 2016, and after a two-year transition period, GDPR compliance will be enforceable as of May 25, 2018. GDPR stands for greater privacy for users across the EU, and replaces the 1995 Data Protection Directive – a collection of guidelines that has since become pretty outdated.
Because the GDPR definition is essentially a regulation rather than a directive, it doesn’t require national governments to pass their own enabling legislation and will be put into effect immediately across the EU – applicable in any country bound by the union’s rules.
The GDPR stands for extending the scope of EU data protection law to foreign companies that process the data of EU residents – a requirement especially notable given the recent issues with mishandling of data from giant companies like Facebook.
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
It’s important to note that the GDPR definition doesn’t apply to the processing of personal data for national security activities or law enforcement of the EU, meaning that governments still have a decent amount of access to user data.
While the GDPR requirements have generally been well received, some industry groups are worried about facing a potential conflict of laws. Essentially, while the EU is a collection of countries that all strive to operate together, they are all independent and have their own regulations. There’s always the possibility that a country’s own regulations could contradict the EU which would cause problems for companies.
These industry groups are hoping that a third party might be able to step in in order to make rulings one way or another when there is a conflict between country law and the EU, but there hasn’t been much progress on that front in terms of adjusting the GDPR definition.
In terms of enforcing GDPR compliance, a single set of rules will apply to all member states in the EU. Each member state will establish an independent supervisory authority with the goal of hearing and investigating complaints, sanctioning administrative offenses and other important aspects of keeping the GDPR requirements up and running.
If a company has establishments in multiple countries of the EU, it will have a single supervisory authority that it works with, giving the companies a one-stop-shop of sorts to make sure they’re adhering to the spirit and guildiens of what GDPR stands for.
The notice requirements remain and are expanded. They must include the retention time for personal data, and contact information for data controller and data protection officer has to be provided.
When GDPR compliance is enforced, citizens of the EU will have rights to question and fight significant decisions that affect them that have been made on a solely-algorithmic basis. The majority of decisions regarding the use of data will be made via automatic processing but the ability of both companies and citizens to take a closer look at these GDPR requirements on a case by case basis will make the process run much smoother.
But what exactly determines whether or not a specific data sharing activity falls under the GDPR definition? The regulations are based off of the guidelines included below.
“Data may not be processed unless there is at least one lawful basis to do so:
The data subject has given consent to the processing of personal data for one or more specific purposes.
Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Processing is necessary to protect the vital interests of the data subject or of another natural person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.”
If these criteria don’t hold true and you haven’t given companies permission to use your data GDPR stands for your privacy as a protection against any sort of wrongdoing.