LOGIN
Back to Glossary

GDPR

The General Data Protection Regulation (GDPR) is a European Union (EU) law that sets guidelines for the collection, processing and protection of personal data of individuals within the EU and the European Economic Area (EEA). It came into effect on May 25, 2018 and applies to any organisation that processes the personal data of EU citizens, regardless of where the organisation is based.

Key Principles of GDPR

GDPR is built around seven key principles that organisations must follow when handling personal data:

  1. Lawfulness, Fairness and Transparency: Data must be processed legally, fairly and transparently.
  2. Purpose Limitation: Data must be collected for specific, explicit and legitimate purposes.
  3. Data Minimisation: Only the necessary data for a specific purpose should be collected.
  4. Accuracy: Personal data must be accurate and kept up to date.
  5. Storage Limitation: Data should be kept only as long as necessary for the intended purpose.
  6. Integrity and Confidentiality: Data must be processed securely to protect against unauthorised access, loss, or damage.
  7. Accountability: Organisations must take responsibility for GDPR compliance and demonstrate their compliance efforts.

Key Rights of Individuals Under GDPR

GDPR grants individuals several rights over their personal data:

  • Right to Access: Individuals can request access to their personal data.
  • Right to Rectification: They can request corrections to inaccurate data.
  • Right to Erasure (“Right to be Forgotten”): Individuals can ask for their data to be deleted.
  • Right to Restriction of Processing: They can limit how their data is processed.
  • Right to Data Portability: They can request their data in a machine-readable format.
  • Right to Object: Individuals can object to data processing for marketing or other purposes.
  • Rights Related to Automated Decision-Making and Profiling: They have protections against automated processing that significantly affects them.

Who Must Comply with GDPR?

GDPR applies to:

  • Organisations within the EU that process personal data.
  • Non-EU organisations that offer goods or services to EU citizens or monitor their behaviour (e.g., tracking website users in the EU).
  • Data controllers and processors, including businesses, public institutions and online services.

Consequences of GDPR Non-Compliance

  • Hefty fines: Up to €20 million or 4% of annual global turnover, whichever is higher.
  • Legal actions: Individuals can file complaints and lawsuits for data breaches.
  • Reputation damage: Non-compliance can result in loss of trust and negative publicity.

Why is GDPR Important?

  • Enhances data privacy and security.
  • Gives individuals greater control over their personal information.
  • Encourages responsible data handling by businesses.
  • Sets a global standard for data protection, influencing laws in other countries (e.g., California’s CCPA).