What is GDPR?

Simply put, the General Data Protection Regulation is a new piece of EU-wide regulation that mandates how the data of EU citizens can be used. However, this does little to explain the complexity of the new regulation. It affects all organizations handling the data of EU citizens, regardless of their location. In view of the regulation’s vast scope, it is highly recommended that all organizations train their employees in GDPR compliance to avoid any dangerous violations.

First and foremost, it is important to explain that GDPR unifies all previous directions and regulations on data privacy within the EU. It sets out laws on how the data is to be created, processed and stored (actions collectively known as “data processing”), as well as what measures should be in place to protect the data at every step.

The regulations also stipulate what kinds of data should be protected: essentially, anything that contains an “identifier” (i.e. can be used to trace an individual) is subject to GDPR protection rules. The nature of identifiers is broad, and includes names, important dates, addresses, photographs, bank details and national identity cards. However, there are other categories of “sensitive” data, such as religion or gender identity, that require greater levels of protection under GDPR.

Regardless of the class of data, GDPR requires that all data is protected by a number of measures. These include anonymisation and pseudonymisation, both of which remove identifiers from personal data files to make it harder to trace to individuals. Encryption is a widely used technique in cybersecurity that means that if data is intercepted, it cannot be read by unauthorised individuals. GDPR goes all the way down to password policies, and though these may remain trivial, are often the first step in protecting against data theft.

There are two main parties referred to throughout GDPR legislation. The controller is the party responsible for initiating data collection and processing. They are usually the ones that approach the data subject and with whom the data subject has the most contact. By contrast, the second party – the processor – are the ones that “handle” the data and process it as per the controller’s requests. Both parties must be GDPR-compliant.

GDPR is an extensive piece of legislation. It applies to all organizations, public and private, that operate within the EU and handle the data of EU citizens. However, it also applies to all organizations outside of the EU that handle the data of EU citizens, regardless of their location. Many are concerned about Brexit’s impact on the new legislation, though it expected that the UK will adopt policies similar to those laid out in GDPR. It is also important to note that GDPR supersedes the previous EU-US Privacy Shield.

GDPR puts individual privacy to the fore. It awards them a number of rights, giving them agency over the handling of their own data, and also ensures that whilst their data is in the possession of other organizations it is adequately protected.