CINXE.COM

What is GDPR, the EU’s new data protection law? - GDPR.eu

<!DOCTYPE html><html lang=en-US class="no-js no-svg"><head><meta charset=UTF-8><meta name=viewport content="width=device-width, initial-scale=1.0"><link rel=profile href=http://gmpg.org/xfn/11><link type=text/css media=all href=https://gdpr.eu/wp-content/cache/autoptimize/css/autoptimize_5b670c3f41f6d1c9d284128a1816dcbc.css rel=stylesheet><title>What is GDPR, the EU’s new data protection law? - GDPR.eu</title> <script>(function(d, s, id){ var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) {return;} js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <meta name=robots content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"><link rel=canonical href=https://gdpr.eu/what-is-gdpr/ ><meta property=og:locale content=en_US><meta property=og:type content=article><meta property=og:title content="What is GDPR, the EU’s new data protection law? - GDPR.eu"><meta property=og:description content="What is the GDPR? Europe&#8217;s new data privacy and security law includes hundreds of pages&#8217; worth of new requirements for organizations around the world. This GDPR overview will help..."><meta property=og:url content=https://gdpr.eu/what-is-gdpr/ ><meta property=og:site_name content=GDPR.eu><meta property=article:section content="GDPR Overview"><meta property=article:published_time content=2018-11-07T06:47:50+00:00><meta property=article:modified_time content=2024-08-29T09:11:56+00:00><meta property=og:updated_time content=2024-08-29T09:11:56+00:00><meta property=og:image content=https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-What-is-GDPR-IM.jpg><meta property=og:image:secure_url content=https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-What-is-GDPR-IM.jpg><meta property=og:image:width content=1024><meta property=og:image:height content=512><meta name=twitter:card content=summary_large_image><meta name=twitter:description content="What is the GDPR? Europe&#8217;s new data privacy and security law includes hundreds of pages&#8217; worth of new requirements for organizations around the world. This GDPR overview will help..."><meta name=twitter:title content="What is GDPR, the EU’s new data protection law? - GDPR.eu"><meta name=twitter:image content=https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-What-is-GDPR-IM.jpg> <script type=application/ld+json class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://gdpr.eu/#organization","name":"GDPR.eu","url":"https://gdpr.eu/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https://gdpr.eu/#logo","url":"https://gdpr.eu/wp-content/uploads/2019/02/profile-pic-PH-gdpr.jpg","width":900,"height":900,"caption":"GDPR.eu"},"image":{"@id":"https://gdpr.eu/#logo"}},{"@type":"WebSite","@id":"https://gdpr.eu/#website","url":"https://gdpr.eu/","name":"GDPR.eu","publisher":{"@id":"https://gdpr.eu/#organization"},"potentialAction":{"@type":"SearchAction","target":"https://gdpr.eu/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://gdpr.eu/what-is-gdpr/#primaryimage","url":"https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-What-is-GDPR-IM.jpg","width":1024,"height":512,"caption":"gdpr compliance small business"},{"@type":"WebPage","@id":"https://gdpr.eu/what-is-gdpr/#webpage","url":"https://gdpr.eu/what-is-gdpr/","inLanguage":"en-US","name":"What is GDPR, the EU\u2019s new data protection law? - GDPR.eu","isPartOf":{"@id":"https://gdpr.eu/#website"},"primaryImageOfPage":{"@id":"https://gdpr.eu/what-is-gdpr/#primaryimage"},"datePublished":"2018-11-07T06:47:50+00:00","dateModified":"2024-08-29T09:11:56+00:00"},{"@type":"Article","@id":"https://gdpr.eu/what-is-gdpr/#article","isPartOf":{"@id":"https://gdpr.eu/what-is-gdpr/#webpage"},"author":{"@id":"https://gdpr.eu/#/schema/person/ea6a6cfb7b5ad33e0b774ac2085eb166"},"headline":"What is GDPR, the EU\u2019s new data protection law?","datePublished":"2018-11-07T06:47:50+00:00","dateModified":"2024-08-29T09:11:56+00:00","commentCount":0,"mainEntityOfPage":{"@id":"https://gdpr.eu/what-is-gdpr/#webpage"},"publisher":{"@id":"https://gdpr.eu/#organization"},"image":{"@id":"https://gdpr.eu/what-is-gdpr/#primaryimage"},"articleSection":"GDPR Overview"},{"@type":["Person"],"@id":"https://gdpr.eu/#/schema/person/ea6a6cfb7b5ad33e0b774ac2085eb166","name":"Ben Wolford","image":{"@type":"ImageObject","@id":"https://gdpr.eu/#authorlogo","url":"https://secure.gravatar.com/avatar/41724bffc3c429bc44aff458c88401e5?s=96&d=mm&r=g","caption":"Ben Wolford"},"description":"A journalist by training, Ben has reported and covered stories around the world. He joined <a href=\"https://proton.me?ref=gdpreu\">Proton</a> to help lead the fight for data privacy.","sameAs":[]}]}</script> <link rel=dns-prefetch href=//ws.sharethis.com><link rel=dns-prefetch href=//cdn.jsdelivr.net><link rel=dns-prefetch href=//maxcdn.bootstrapcdn.com><link rel=dns-prefetch href=//fonts.googleapis.com><link rel=dns-prefetch href=//use.fontawesome.com><link rel=dns-prefetch href=//s.w.org><link rel=alternate type=application/rss+xml title="GDPR.eu &raquo; Feed" href=https://gdpr.eu/feed/ ><link rel=alternate type=application/rss+xml title="GDPR.eu &raquo; Comments Feed" href=https://gdpr.eu/comments/feed/ ><link rel=alternate type=application/rss+xml title="GDPR.eu &raquo; What is GDPR, the EU’s new data protection law? Comments Feed" href=https://gdpr.eu/what-is-gdpr/feed/ > <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/gdpr.eu\/wp-includes\/js\/wp-emoji-release.min.js?ver=8c03ada028d9ba4936249699216631ae"}}; !function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);</script> <style>img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; }</style><link rel=stylesheet id=simple-share-buttons-adder-font-awesome-css href='//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css?ver=8c03ada028d9ba4936249699216631ae' type=text/css media=all><link rel=stylesheet id=opensans-css href='https://fonts.googleapis.com/css?family=Open+Sans' type=text/css media=all><link rel=stylesheet id=font-awesome-css href=https://use.fontawesome.com/releases/v5.1.1/css/all.css type=text/css media=all> <script src="https://gdpr.eu/wp-content/cache/minify/c7035.js"></script> <script id=st_insights_js src='https://ws.sharethis.com/button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&#038;product=simpleshare'></script> <link rel=https://api.w.org/ href=https://gdpr.eu/wp-json/ ><link rel=EditURI type=application/rsd+xml title=RSD href=https://gdpr.eu/xmlrpc.php?rsd><link rel=wlwmanifest type=application/wlwmanifest+xml href=https://gdpr.eu/wp-includes/wlwmanifest.xml><link rel=shortlink href='https://gdpr.eu/?p=202'><link rel=alternate type=application/json+oembed href="https://gdpr.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fgdpr.eu%2Fwhat-is-gdpr%2F"><link rel=alternate type=text/xml+oembed href="https://gdpr.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fgdpr.eu%2Fwhat-is-gdpr%2F&#038;format=xml"><link rel="shortcut icon" href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon.ico><link rel=apple-touch-icon sizes=57x57 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-57x57.png><link rel=apple-touch-icon sizes=60x60 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-60x60.png><link rel=apple-touch-icon sizes=72x72 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-72x72.png><link rel=apple-touch-icon sizes=76x76 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-76x76.png><link rel=apple-touch-icon sizes=114x114 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-114x114.png><link rel=apple-touch-icon sizes=120x120 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-120x120.png><link rel=apple-touch-icon sizes=144x144 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-144x144.png><link rel=apple-touch-icon sizes=152x152 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-152x152.png><link rel=apple-touch-icon sizes=180x180 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-180x180.png><link rel=icon type=image/png sizes=192x192 href=https://gdpr.eu/wp-content/themes/gdpr/assets/android-icon-192x192.png><link rel=icon type=image/png sizes=32x32 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-32x32.png><link rel=icon type=image/png sizes=96x96 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-96x96.png><link rel=icon type=image/png sizes=16x16 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-16x16.png><link rel=manifest href=https://gdpr.eu/wp-content/themes/gdpr/assets/manifest.json><meta name=msapplication-TileColor content=#ffffff><meta name=msapplication-TileImage content=https://gdpr.eu/wp-content/themes/gdpr/assets/ms-icon-144x144.png><meta name=theme-color content=#ffffff><style>.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head><body class="post-template-default single single-post postid-202 single-format-standard cookies-set cookies-refused"><div id=wrapper><header id=header><div id=social><div class="container text-right"> <a target=_blank href="http://www.facebook.com/sharer.php?u=https://gdpr.eu/"><em class="fab fa-facebook"></em> <span>Facebook</span></a> <a target=_blank href="http://twitter.com/share?url=https://gdpr.eu/"><em class="fab fa-twitter"></em> <span>Twitter</span></a></div></div><div id=top><div class=container><div class=pull-right><div class=search-box><form role=search method=get class=search-form action=https://gdpr.eu/ > <input type=search id=search-form-67420704dbe89 class=textbox placeholder=Search... value name=s> <button type=submit class=button><i class=icon-search></i><span>Search</span></button></form></div></div> <span id=logo> <a href=https://gdpr.eu/ class=gdpr></a> <a target=_blank href=https://ec.europa.eu/programmes/horizon2020/en/ class=horizon></a> <img class=full src=https://gdpr.eu/wp-content/themes/gdpr/images/logo-gdpr-eu.svg alt=GDPR.eu> <img class=short src=https://gdpr.eu/wp-content/themes/gdpr/images/logo-gdpr-eu-notext.svg alt=GDPR.eu> </span></div></div><nav id=nav><div class=container><div id=searchx><div class=search-box><form role=search method=get class=search-form action=https://gdpr.eu/ > <input type=search id=search-form-67420704dbfc5 class=textbox placeholder=Search... value name=s> <button type=submit class=button><i class=icon-search></i><span>Search</span></button></form></div></div><nav id=mainmenu class=menu-primary-menu-container><ul><li id=menu-item-309 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-309"><a href=https://gdpr.eu/ >Home</a></li><li id=menu-item-351 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-351"><a href=https://gdpr.eu/checklist/ >Checklist</a></li><li id=menu-item-8150 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8150"><a href=https://gdpr.eu/faq/ >FAQ</a></li><li id=menu-item-394 class="menu-item menu-item-type-taxonomy menu-item-object-post_tag menu-item-394"><a href=https://gdpr.eu/tag/gdpr/ >GDPR</a></li><li id=menu-item-350 class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-350"><a href=https://gdpr.eu/category/news-updates/ >News &#038; Updates</a></li></ul></nav></div></nav></header><div id=main><div id=primary class="content-area one-column"><div id=content class=site-content><div class=post-main-box><div class=featured-image style="background-image: url(https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-What-is-GDPR-IM.jpg); "> <em></em><div class=container><div class=container><h1>What is GDPR, the EU’s new data protection law?</h1> <i></i></div></div></div><div class=container><div class=post-detail-box><div class=container><div class=row><div class="col-xl-8 col-lg-12 single-content"><p><strong>What is the GDPR? Europe&#8217;s new data privacy and security law includes hundreds of pages&#8217; worth of new requirements for organizations around the world. This GDPR overview will help you understand the law and determine what parts of it apply to you.</strong></p><p>The <a href=https://gdpr.eu/ >General Data Protection Regulation (GDPR)</a> is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.</p><p>With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).</p><p>We created this website to serve as a resource for SME owners and managers to address specific challenges they may face. While it is not a substitute for legal advice, it may help you to understand where to focus your GDPR compliance efforts. We also offer tips on <a href=https://gdpr.eu/email-encryption/ >privacy tools</a> and how to mitigate risks. As the GDPR continues to be interpreted, we&#8217;ll keep you up to date on evolving best practices.</p><p>If you&#8217;ve found this page — “what is the GDPR?” — chances are you&#8217;re looking for a crash course. Maybe you haven&#8217;t even found the document itself yet (tip: <a href=https://gdpr.eu/tag/gdpr/ >here&#8217;s the full regulation</a>). Maybe you don&#8217;t have time to read the whole thing. This page is for you. In this article, we try to demystify the GDPR and, we hope, make it less overwhelming for SMEs concerned about GDPR compliance.</p><h2>History of the GDPR</h2><p>The right to privacy is part of the 1950 <a href=https://www.echr.coe.int/Documents/Convention_ENG.pdf>European Convention on Human Rights</a>, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation.</p><p>As technology progressed and the Internet was invented, the EU recognized the need for modern protections. So in 1995 it passed the European Data Protection Directive, establishing minimum data privacy and security standards, upon which each member state based its own implementing law. But already the Internet was morphing into the data Hoover it is today. In 1994, the <a href=http://thefirstbannerad.com>first banner ad</a> appeared online. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. Two months after that, Europe&#8217;s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.</p><p>The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.</p><h2>Scope, penalties, and key definitions</h2><p>First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then <b>the GDPR applies to you even if you&#8217;re not in the EU</b>. We talk more about this <a href=https://gdpr.eu/companies-outside-of-europe/ >in another article</a>.</p><p>Second, the <b>fines for violating the GDPR are very high</b>. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. We also talk <a href=https://gdpr.eu/fines/ >more about GDPR fines</a>.</p><p>The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:</p><p><b>Personal data</b> — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. <a href=https://en.wikipedia.org/wiki/Pseudonymization>Pseudonymous</a> data can also fall under the definition if it&#8217;s relatively easy to ID someone from it.</p><p><b>Data processing</b> — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.</p><p><b>Data subject</b> — The person whose data is processed. These are your customers or site visitors.</p><p><b>Data controller</b> — The person who decides why and how personal data will be processed. If you&#8217;re an owner or employee in your organization who handles data, this is you.</p><p><b>Data processor</b> — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. These could include cloud servers, like <a class=c-link href=https://www.google.com/drive/ target=_blank rel="noopener noreferrer" data-stringify-link=https://www.google.com/drive/ data-sk=tooltip_parent>Google Drive</a>, <a class=c-link href="https://proton.me/drive?ref=gdpreu" target=_blank rel="noopener noreferrer" data-stringify-link="https://proton.me/drive?ref=gdpreu" data-sk=tooltip_parent>Proton Drive</a>, or <a class=c-link href=https://www.microsoft.com/en-us/microsoft-365/onedrive/online-cloud-storage target=_blank rel="noopener noreferrer" data-stringify-link=https://www.microsoft.com/en-us/microsoft-365/onedrive/online-cloud-storage data-sk=tooltip_parent>Microsoft OneDrive,</a> or email service providers, like <a href="https://proton.me/mail?ref=gdpreu">Proton Mail</a>.</p><h2>What the GDPR says about…</h2><p>For the rest of this article, we will briefly explain all the key regulatory points of the GDPR.</p><h4>Data protection principles</h4><p>If you process data, you have to do so according to seven protection and accountability principles outlined in <a href=https://gdpr.eu/article-5-how-to-process-personal-data/ >Article 5.1-2</a>:</p><ol><li><b>Lawfulness, fairness and transparency</b> — Processing must be lawful, fair, and transparent to the data subject.</li><li><b>Purpose limitation</b> — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.</li><li><b>Data minimization</b> — You should collect and process only as much data as absolutely necessary for the purposes specified.</li><li><b>Accuracy</b> — You must keep personal data accurate and up to date.</li><li><b>Storage limitation</b> — You may only store personally identifying data for as long as necessary for the specified purpose.</li><li><b>Integrity and confidentiality</b> — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).</li><li><b>Accountability</b> — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.</li></ol><h4>Accountability</h4><p>The GDPR says data controllers have to be able to demonstrate they are GDPR compliant. And this isn&#8217;t something you can do after the fact: If you think you are compliant with the GDPR but can&#8217;t show how, then you&#8217;re not GDPR compliant. Among the ways you can do this:</p><ul><li>Designate data protection responsibilities to your team.</li><li>Maintain detailed documentation of the data you&#8217;re collecting, how it&#8217;s used, where it&#8217;s stored, which employee is responsible for it, etc.</li><li>Train your staff and implement technical and organizational security measures.</li><li>Have Data Processing Agreement contracts in place with third parties you contract to process data for you.</li><li>Appoint a Data Protection Officer (though not all organizations need one — more on that in <a href=https://gdpr.eu/data-protection-officer/ >this article</a>).</li></ul><h4>Data security</h4><p>You&#8217;re required to handle data securely by implementing “<a href=https://gdpr.eu/recital-78-appropriate-technical-and-organisational-measures/ >appropriate technical and organizational measures</a>.”</p><p>Technical measures mean anything from requiring your employees to use <b>two-factor authentication</b> on accounts where personal data are stored to contracting with cloud providers that use <b>end-to-end encryption</b>.</p><p>Organizational measures are things like <b>staff trainings</b>, adding a <b>data privacy policy</b> to your employee handbook, or <b>limiting access to personal data</b> to only those employees in your organization who need it.</p><p>If you have a data breach, you have 72 hours to tell the data subjects or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)</p><h4>Data protection by design and by default</h4><p>From now on, everything you do in your organization must, “by design and by default,” consider data protection. Practically speaking, this means you must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in <a href=https://gdpr.eu/article-25-data-protection-by-design/ >Article 25</a>.</p><p>Suppose, for example, you&#8217;re launching a new app for your company. You have to think about what personal data the app could possibly collect from users, then consider ways to minimize the amount of data and how you will secure it with the latest technology.</p><h4>When you&#8217;re allowed to process data</h4><p><a href=https://gdpr.eu/article-6-how-to-process-personal-data-legally/ >Article 6</a> lists the instances in which it&#8217;s legal to process person data. Don&#8217;t even think about touching somebody&#8217;s personal data — don&#8217;t collect it, don&#8217;t store it, don&#8217;t sell it to advertisers — unless you can justify it with one of the following:</p><ol><li>The data subject gave you specific, <b>unambiguous consent</b> to process the data. (e.g. They&#8217;ve opted in to your marketing email list.)</li><li>Processing is necessary to execute or to prepare <b>to enter into a contract</b> to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)</li><li>You need to process it <b>to comply with a legal obligation</b> of yours. (e.g. You receive an order from the court in your jurisdiction.)</li><li>You need to process the data <b>to save somebody&#8217;s life</b>. (e.g. Well, you&#8217;ll probably know when this one applies.)</li><li>Processing is necessary <b>to perform a task in the public interest</b> or to carry out some official function. (e.g. You&#8217;re a private garbage collection company.)</li><li>You have a <b>legitimate interest</b> to process someone&#8217;s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it&#8217;s a child&#8217;s data. (It&#8217;s difficult to give an example here because there are a variety of factors you&#8217;ll need to consider for your case. The UK Information Commissioner&#8217;s Office provides helpful guidance <a href=https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ >here</a>.)</li></ol><p>Once you&#8217;ve determined the lawful basis for your data processing, you need to document this basis and notify the data subject (transparency!). And if you decide later to change your justification, you need to have a good reason, document this reason, and notify the data subject.</p><h4>Consent</h4><p>There are strict new rules about what constitutes <a href=https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/ >consent from a data subject</a> to process their information.</p><ul><li>Consent must be “freely given, specific, informed and unambiguous.”</li><li>Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”</li><li>Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can&#8217;t simply change the legal basis of the processing to one of the other justifications.</li><li>Children under 13 can only give consent with permission from their parent.</li><li>You need to keep documentary evidence of consent.</li></ul><h4>Data Protection Officers</h4><p>Contrary to popular belief, not every data controller or processor needs to appoint a <a href=https://gdpr.eu/data-protection-officer/ >Data Protection Officer (DPO)</a>. There are three conditions under which you are required to appoint a DPO:</p><ol><li>You are a public authority other than a court acting in a judicial capacity.</li><li>Your core activities require you to monitor people systematically and regularly on a large scale. (e.g. You&#8217;re Google.)</li><li>Your core activities are large-scale processing of special categories of data listed under <a href=https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/ >Article 9</a> of the GDPR or data relating to criminal convictions and offenses mentioned in <a href=https://gdpr.eu/article-10-personal-data-relating-to-criminal-convictions-and-offences/ >Article 10</a>. (e.g. You&#8217;re a medical office.)</li></ol><p>You could also choose to designate a DPO even if you aren&#8217;t required to. There are benefits to having someone in this role. Their basic tasks involve understanding the GDPR and how it applies to the organization, advising people in the organization about their responsibilities, conducting data protection trainings, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators.</p><p>We go in depth about the DPO role <a href=https://gdpr.eu/data-protection-officer/ >in another article</a>.</p><h4>People&#8217;s privacy rights</h4><p>You are a data controller and/or a data processor. But as a person who uses the Internet, you&#8217;re also a data subject. The GDPR recognizes a litany of new <a href=https://gdpr.eu/tag/chapter-3/ >privacy rights for data subjects</a>, which aim to give individuals more control over the data they loan to organizations. As an organization, it&#8217;s important to understand these rights to ensure you are GDPR compliant.</p><p>Below is a rundown of data subjects&#8217; privacy rights:</p><ol><li>The right to be informed</li><li>The right of access</li><li>The right to rectification</li><li>The right to erasure</li><li>The right to restrict processing</li><li>The right to data portability</li><li>The right to object</li><li>Rights in relation to automated decision making and profiling.</li></ol><h3>Conclusion</h3><p>We&#8217;ve just covered all the major points of the GDPR in a little over 2,000 words. The <a href=https://gdpr.eu/tag/gdpr/ >regulation itself</a> (not including the accompanying directives) is 88 pages. If you&#8217;re affected by the GDPR, we strongly recommend that someone in your organization reads it and that you consult an attorney to ensure you are GDPR compliant.</p><div class=rp4wp-related-posts><h3>Related Posts</h3><ul><li><div class=rp4wp-related-post-content> <a href=https://gdpr.eu/article-68-what-is-the-european-data-protection-board/ >Art. 68 GDPR - European Data Protection Board</a></div></li><li><div class=rp4wp-related-post-content> <a href=https://gdpr.eu/article-39-tasks-of-the-data-protection-officer/ >Art. 39 GDPR - Tasks of the data protection officer</a></div></li><li><div class=rp4wp-related-post-content> <a href=https://gdpr.eu/article-38-data-protection-officer/ >Art. 38 GDPR - Position of the data protection officer</a></div></li></ul></div><div class=post-share><div id=ssba-modern-2 class="ssba ssbp-wrap left ssbp--theme-4"><div style=text-align:left><span class=ssba-share-text>Share on:</span><ul class=ssbp-list><li class=ssbp-li--facebook><a data-site class="ssba_facebook_share ssbp-facebook ssbp-btn" href="http://www.facebook.com/sharer.php?u=https://gdpr.eu/what-is-gdpr/" target=_blank ><div title=Facebook class=ssbp-text>Facebook</div></a></li><li class=ssbp-li--google><a data-site class="ssba_google_share ssbp-google ssbp-btn" href="https://plus.google.com/share?url=https://gdpr.eu/what-is-gdpr/" target=&quot;_blank&quot; ><div title=Google+ class=ssbp-text>Google+</div></a></li><li class=ssbp-li--twitter><a data-site class="ssba_twitter_share ssbp-twitter ssbp-btn" href="http://twitter.com/share?url=https://gdpr.eu/what-is-gdpr/&amp;text=What%20is%20GDPR%2C%20the%20EU%E2%80%99s%20new%20data%20protection%20law%3F%20" target=&quot;_blank&quot; ><div title=Twitter class=ssbp-text>Twitter</div></a></li><li class=ssbp-li--linkedin><a data-site=linkedin class="ssba_linkedin_share ssba_share_link ssbp-linkedin ssbp-btn" href="http://www.linkedin.com/shareArticle?mini=true&amp;url=https://gdpr.eu/what-is-gdpr/" target=&quot;_blank&quot; ><div title=Linkedin class=ssbp-text>Linkedin</div></a></li></ul></div></div></div></div><div class="col-lg-4 d-none d-xl-block"><div id=sidebar><section class=yellow><h5>Forms and Templates</h5><ul><li><a href=/data-processing-agreement/ ><i class="far fa-file-alt"></i>&nbsp;&nbsp;Data Processing Agreement</a></li><li><a href=/right-to-erasure-request-form/ ><i class="far fa-file-alt"></i>&nbsp;&nbsp;Right to Erasure Request Form</a></li><li><a href=/privacy-notice/ ><i class="far fa-file-alt"></i>&nbsp;&nbsp;Privacy Policy</a></li></ul></section></div></div></div></div></div><div class=post-author-details-box> <span class=author-intials><img src=https://gdpr.eu/wp-content/uploads/2019/01/ben.gif style=' height: 100%; max-width: initial !important;'></span><div class=post-author-details><h6>Ben Wolford</h6> <span>Editor in Chief, GDPR EU</span><p>A journalist by training, Ben has reported and covered stories around the world. He joined <a href="https://proton.me?ref=gdpreu">Proton</a> to help lead the fight for data privacy.</p></div></div></div></div></div></div></div><footer id=footer><div class=container><div class=post-author-details-box><div class=post-author-details><h6>About GDPR.EU</h6><p>&nbsp;</p><p>GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union. This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found <a href=https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en target=_blank>here</a>. Nothing found in this portal constitutes legal advice.</p></div></div><div class=footer-top><div class=row><div class=col-sm-3> <br><h5>Getting Started</h5><br><div class=menu-deep-footer-column-1-container><ul class=fmenu><li id=menu-item-9315 class="menu-item menu-item-type-post_type menu-item-object-post current-menu-item menu-item-9315"><a href=https://gdpr.eu/what-is-gdpr/ aria-current=page>What is GDPR?</a></li><li id=menu-item-9316 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9316"><a href=https://gdpr.eu/fines/ >What are the GDPR Fines?</a></li><li id=menu-item-9317 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9317"><a href=https://gdpr.eu/checklist/ >GDPR Compliance Checklist</a></li></ul></div></div><div class=col-sm-3> <br><h5>Templates</h5><br><div class=menu-deep-footer-column-2-container><ul class=fmenu><li id=menu-item-9318 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9318"><a href=https://gdpr.eu/data-processing-agreement/ >Data Processing Agreement</a></li><li id=menu-item-9319 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9319"><a href=https://gdpr.eu/right-to-erasure-request-form/ >Right to Erasure Request Form</a></li><li id=menu-item-9320 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9320"><a href=https://gdpr.eu/privacy-notice/ >Writing a GDPR-compliant privacy notice</a></li></ul></div></div><div class=col-sm-3> <br><h5>Technical Review</h5><br><div class=menu-deep-footer-column-3-container><ul class=fmenu><li id=menu-item-9321 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9321"><a href=https://gdpr.eu/data-protection-officer/ >Data Protection Office Guide</a></li><li id=menu-item-9322 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9322"><a href=https://gdpr.eu/email-encryption/ >GDPR and Email</a></li><li id=menu-item-9323 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9323"><a href=https://gdpr.eu/companies-outside-of-europe/ >Does GDPR apply outside of the EU</a></li></ul></div></div><div class=col-sm-3> <br><h5>About Us</h5><br><p>GDPR.eu is co-funded by the <a href=https://ec.europa.eu/programmes/horizon2020/en/ >Horizon 2020</a> Framework Programme of the European Union <strong>and operated by Proton AG</strong>.</p></div></div></div><div class=formz><p>&nbsp;</p><p><strong>GDPR Forms and Templates</strong></p><p> <a href=/data-processing-agreement/ ><i class="far fa-file-alt"></i> <strong>Data Processing Agreement</strong> <i class="fa fa-chevron-right"></i></a> <a href=/right-to-erasure-request-form/ ><i class="far fa-file-alt"></i> <strong>Right to Erasure Request Form</strong> <i class="fa fa-chevron-right"></i></a> <a href=/privacy-notice/ ><i class="far fa-file-alt"></i> <strong>Privacy Policy</strong> <i class="fa fa-chevron-right"></i></a></p></div><p>&nbsp;</p><p class=copyright>© 2024 Proton AG. All Rights Reserved.</p><p class=text-center> <br> <a href=https://gdpr.eu/terms-and-conditions/ >Terms and Conditions</a> &nbsp;&nbsp;&nbsp; <a href=https://gdpr.eu/privacy-policy/ >Privacy Policy</a></p></div></footer></div><div id=compliance_a style=display:none;> <a href=# class="close fa fa-times"></a> <img src=https://gdpr.eu/wp-content/themes/gdpr/images/gdpr_graphic.svg alt="GDPR Graphic"><p>GDPR compliance is easier with <strong>encrypted email</strong></p> <span><a target=_blank href="https://proton.me/business/gdpr?ref=gdpreu">Learn more <i class="fa fa-chevron-right"></i></a></span></div><style id=simple-share-buttons-adder-ssba-inline-css>.ssba { } .ssba img { width: 35px !important; padding: 6px; border: 0; box-shadow: none !important; display: inline !important; vertical-align: middle; box-sizing: unset; } #ssba-classic-2 .ssbp-text { display: none!important; } .ssba .fb-save { padding: 6px; } .ssbp-list li a {height: 25px!important; width: 25px!important; background-color: #0072ff!important; } .ssbp-list li a:hover {background-color: #0072ff!important; } .ssbp-list li a::before {line-height: 25px!important;; font-size: 16px;color: #fff!important;} .ssbp-list li a:hover::before {color: #fff!important;} .ssbp-list li { margin-left: 8px!important; } .ssba-share-text { font-size: 16px; font-weight: normal; font-family: inherit; } @font-face { font-family: 'ssbp'; src:url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.eot?xj3ol1'); src:url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.eot?#iefixxj3ol1') format('embedded-opentype'), url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.woff?xj3ol1') format('woff'), url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.ttf?xj3ol1') format('truetype'), url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.svg?xj3ol1#ssbp') format('svg'); font-weight: normal; font-style: normal; /* Better Font Rendering =========== */ -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; }</style> <script>var cnArgs = {"ajaxurl":"https:\/\/gdpr.eu\/wp-admin\/admin-ajax.php","hideEffect":"fade","onScroll":"no","onScrollOffset":"100","cookieName":"cookie_notice_accepted","cookieValue":"true","cookieTime":"2592000","cookiePath":"\/","cookieDomain":"","redirection":"1","cache":"1","refuse":"yes","revoke_cookies":"0","revoke_cookies_opt":"automatic","secure":"1"};</script> <script src="https://gdpr.eu/wp-content/cache/minify/6fdea.js"></script> <script>Main.boot( [] );</script> <script src=https://cdn.jsdelivr.net/npm/js-cookie@2/src/js.cookie.min.js></script> <div id=cookie-notice role=banner class="cn-bottom bootstrap" style="color: #fff; background-color: #000;" aria-label="Cookie Notice"><div class=cookie-notice-container><span id=cn-notice-text>We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.</span><a href=# id=cn-accept-cookie data-cookie-set=accept class="cn-set-cookie cn-button bootstrap button">Ok</a><a href=# id=cn-refuse-cookie data-cookie-set=refuse class="cn-set-cookie cn-button bootstrap button">No</a><a href=https://gdpr.eu/privacy-policy/ target=_blank id=cn-more-info class="cn-more-info cn-button bootstrap button">Privacy policy</a></div><div class=cookie-notice-revoke-container><a href=# class="cn-revoke-cookie cn-button bootstrap button">Revoke cookies</a></div></div> <script defer src=https://gdpr.eu/wp-content/cache/autoptimize/js/autoptimize_5dd90da4735596921829dacc461fe36f.js></script></body></html> <!-- Performance optimized by W3 Total Cache. Learn more: https://www.w3-edge.com/products/ Page Caching using disk: enhanced Minified using disk Database Caching 52/68 queries in 0.028 seconds using disk Served from: gdpr.eu @ 2024-11-23 17:47:00 by W3 Total Cache -->

Pages: 1 2 3 4 5 6 7 8 9 10