The General Data Protection and Regulation (GDPR) is an EU regulation on data protection and privacy in the European Union and the European Economic Area. The law regulates how organizations protect the personal data of people residing in its protected areas. The purpose of the GDPR is to give individuals control over their personal data and simplify the regulatory environment for international business. Business processes that handle personal data must be designed with consideration of the principles and provide safeguards to protect data. Businesses that experience a data breach must report the breach to national supervisory authorities within 72 hours if the breach could negatively impact user privacy.
Under the GDRP, data controllers must design information systems with high levels of privacy so subjects cannot be identified through publicly available datasets. Additionally, no personal data may be processed unless done under one of six lawful specified bases: consent, contract, public task, vital interest, legitimate interest, or legal requirement. Data controllers must also clearly disclose data collection to the user, declare the lawful purpose and basis for processing, and state how long the data will be held and if it will be shared with any third parties. While the law is written to protect those countries in the EU and EEA, institutions and organizations outside of those areas must follow its provisions and are not exempt from facing its consequences of non-compliance. Non-EU organizations need to implement, staff, and run systems to continue offering their services to the EU market. The GDPR was adopted on April 14, 2016, and became enforceable starting May 25, 2018.
Countries Covered by GDPR
The following countries are covered by the GDPR: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. Because the United Kingdom was still a part of the European Union when the GDPR was enforced, the regulation will be absorbed into the U.K.’s law.