GDPR (General Data Protection Regulation) is a regulation from the EU that came into effect on May 25, 2018.
Its purpose is to strengthen and harmonize privacy rules across the member states of the EU and EEA (European Economic Area), giving individuals more control over their personal data.
GDPR sets clear guidelines for how organizations should handle, store, and process personal data.
Strengthen privacy: Protect individuals’ rights regarding how their personal data is collected, stored, processed, and shared.
Harmonization: Create a unified legislation that applies across all EU and EEA countries, making it easier for organizations to operate in multiple countries.
Increased accountability: Place responsibility on organizations for how they handle personal data, with stricter requirements for documentation and reporting.
Lawfulness, fairness, and transparency: Processing of personal data must be lawful, fair, and transparent to the data subjects (those to whom the personal data belongs).
Purpose limitation: Personal data should only be collected for specific, legitimate purposes and not processed in a manner incompatible with those purposes.
Data minimization: Only the personal data necessary for the purpose it is collected for should be processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date.
Storage limitation: Personal data should not be stored longer than necessary to fulfill the purpose.
Integrity and confidentiality: Personal data must be processed in a manner that ensures adequate security, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage.
Accountability: Organizations are responsible for complying with the principles of data processing and must be able to demonstrate this.
Right of access: Individuals have the right to access their personal data and information about how it is processed.
Right to rectification: Individuals can request that incorrect or incomplete data be corrected.
Right to erasure (“right to be forgotten”): In certain cases, individuals can request that their personal data be deleted, for example, when the data is no longer necessary for the purpose it was collected for.
Right to data portability: Individuals have the right to receive their personal data in a structured, machine-readable format and transfer it to another service provider.
Right to object: Individuals can object to the processing of their personal data, especially for direct marketing purposes.
Right to restrict processing: In certain cases, individuals can request that the processing of their personal data be restricted, for example, if they believe the data is inaccurate or the processing is unlawful.
Data controller: The entity that determines the purpose and means of processing personal data. This can be a company, organization, or public authority.
Data processor: A third party that processes personal data on behalf of the data controller. For example, an external IT company that handles data on behalf of a business.
Data processing agreement: A written agreement must be made between the data controller and the data processor to ensure that personal data is processed in accordance with GDPR.
Fines: Violations of GDPR can result in significant fines. The maximum fine can be up to €20 million or 4% of the global annual turnover, whichever is higher. This applies to the most serious violations, such as failing to obtain consent or breaching the principle of data minimization.
Enforcement: Each EU member state has a supervisory authority responsible for enforcing GDPR, and there is cooperation between national data protection authorities to ensure consistent enforcement.
Consent: Organizations must obtain explicit consent from individuals before collecting or processing their personal data (with some exceptions, such as when necessary to fulfill a contract or legal obligation).
Security: Organizations are required to implement necessary technical and organizational measures to secure personal data against unauthorized access, loss, or leakage. This can include encryption, access controls, and contingency plans.
DPIA (Data Protection Impact Assessment): Organizations must conduct a DPIA before implementing processes that may pose a high risk to individuals’ privacy.
GDPR applies not only to organizations based in the EU but also to organizations outside the EU that process personal data of individuals in the EU. This means, for example, that an American company collecting data about European customers must also comply with GDPR. This principle is called extraterritorial application.
GDPR has set a high standard for how personal data should be protected in the EU and EEA. It gives individuals more rights over their own data and imposes stricter requirements on organizations for how they handle and protect personal data. Compliance with GDPR is not only a legal obligation but also an important measure to build trust with customers and partners.
Sicra only uses suppliers, products, and services that comply with GDPR both internally and externally. This is ensured through Sicra’s ISO27001 certification with the associated ISMS (Information Security Management System).
Read about our "CISO-for-hire" service here >
Read about "regulatory requirements and compliance" here >
Related words: Privacy, Information Security.