G

GDPR

GDPR — gDPR, or General Data Protection Regulation, is Regulation (EU) 2016/679 of the European Parliament and of the Council, which concerns the protection of natural persons with regard to the processing of personal data and the free movement of such data

What is GDPR?

  • Definition of GDPR
  • Goals and importance of GDPR
  • Key principles of GDPR
  • Rights of data subjects
  • Obligations of data controllers under GDPR
  • Penalties for violating GDPR provisions
  • Challenges related to GDPR implementation

Definition of GDPR

GDPR, or General Data Protection Regulation, is Regulation (EU) 2016/679 of the European Parliament and of the Council, which concerns the protection of natural persons with regard to the processing of personal data and the free movement of such data. GDPR came into force on May 25, 2018, and replaced Directive 95/46/EC, aiming to harmonize personal data protection regulations in the European Union.

Goals and importance of GDPR

The goal of GDPR is to ensure a high level of personal data protection and harmonize regulations throughout the European Union. The regulation aims to increase citizens’ control over their personal data, strengthen the rights of data subjects, and ensure transparency in personal data processing by organizations. GDPR also aims to increase the accountability of data controllers and imposes severe penalties for violating regulations.

Key principles of GDPR

GDPR is based on several key principles that must be followed by all entities processing personal data:

Principle of lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and transparently for the data subject.

  • Purpose limitation principle: Data should be collected for specific, explicit, and legitimate purposes.

  • Data minimization principle: Processed data should be adequate, relevant, and limited to what is necessary.

  • Accuracy principle: Data must be accurate and, where necessary, kept up to date.

  • Storage limitation principle: Data should be kept in a form that permits identification of data subjects for no longer than necessary.

  • Integrity and confidentiality principle: Data must be processed in a manner that ensures appropriate security.

Rights of data subjects

GDPR grants data subjects a range of rights that must be respected by data controllers:

  • Right of access to data: Right to obtain information about personal data processing.

  • Right to rectification: Right to correct inaccurate personal data.

  • Right to erasure (right to be forgotten): Right to request data deletion in specified situations.

  • Right to restriction of processing: Right to restrict data processing in specified cases.

  • Right to data portability: Right to receive personal data in a structured format.

  • Right to object: Right to object to processing of personal data.

  • Right not to be subject to automated decision-making: Right not to be subject to decisions based solely on automated processing.

Obligations of data controllers under GDPR

Data controllers have a number of obligations related to personal data processing:

  • Data security: Ensuring appropriate technical and organizational measures to protect personal data.

  • Maintaining records of processing activities: Documenting data processing operations.

  • Conducting data protection impact assessments: Risk analysis associated with personal data processing.

  • Reporting data breaches: Informing the supervisory authority about personal data breaches.

  • Compliance with data minimization principle: Processing only data necessary to achieve processing purposes.

Penalties for violating GDPR provisions

Violation of GDPR provisions can result in serious penalties. Supervisory authorities have the right to impose financial penalties that can reach up to 20 million euros or 4% of the company’s total annual worldwide turnover, whichever is higher. Additionally, violations can lead to loss of customer trust and company reputation.

GDPR implementation involves many challenges, such as:

  • Changing organizational culture: Need to adapt processes and procedures to new requirements.

  • Compliance management: Continuous monitoring and ensuring compliance with regulations.

  • Education and awareness: Raising employee awareness about the importance of data protection.

  • Risk management: Identifying and minimizing risks associated with personal data processing.

In summary, GDPR is a key regulation that aims to protect personal data in the European Union, ensuring high standards of protection and transparency in data processing. Its effective implementation requires engagement and continuous compliance monitoring.

Frequently Asked Questions

What is GDPR?

GDPR (General Data Protection Regulation, EU 2016/679) is an EU regulation effective from May 25, 2018, regulating the processing of personal data of individuals in the EU. Applies to all organizations processing EU citizens' data — regardless of company location (extraterritorial reach). Replaced Directive 95/46/EC. Fines up to 4% of global revenue or €20M (larger amount). National laws add specific details in each member state.

What are the key principles of GDPR?

Art. 5 GDPR defines 6+1 principles: (1) Lawfulness, fairness and transparency, (2) Purpose limitation, (3) Data minimization, (4) Accuracy, (5) Storage limitation, (6) Integrity and confidentiality, (7) Accountability — controller must prove compliance. Legal bases (Art. 6): consent, contract, legal obligation, vital interests, public interest, legitimate interests. For sensitive data (Art. 9): additional restrictions.

What rights do data subjects have?

8 rights: (1) Right to information (Art. 13-14 — transparency), (2) Right of access (Art. 15 — SAR, 30 days to respond), (3) Rectification (Art. 16), (4) Erasure/right to be forgotten (Art. 17), (5) Restriction of processing (Art. 18), (6) Data portability (Art. 20), (7) Object (Art. 21, especially marketing), (8) Not be subject to automated decisions (Art. 22). Organization must have procedures to handle these requests.

How to implement GDPR in a company?

Steps: (1) Inventory (what data, from where, where, who has access, for what), (2) Records of processing activities (Art. 30 — mandatory), (3) Privacy policy (clear, understandable for users), (4) Data Processing Agreements (DPAs) with processors (Google, AWS, Microsoft), (5) DPIA for risky processes, (6) MFA, encryption, backup, DLP, (7) Employee training (min. annual), (8) Breach procedure (72h notification), (9) DPO appointment if required, (10) Annual audit. Tools: OneTrust, TrustArc, BigID.

Related Trainings

Related Terms

Other terms starting with G

Goal Setting

Goal Setting — the process of defining specific, measurable, and achievable results that an individual or organization wants to achieve within a specified time
See all terms starting with G

Develop your skills with training

Recommended training:

GDPR - Certified Information Privacy Manager

Talk to us about training for yourself or your team.

Request training +48 22 487 84 90
Training catalog
Request Training
Call us +48 22 487 84 90