The General Data Protection Regulation (GDPR), which replaces the 1995 directive, is the EU’s new data protection regulation. It was first published in May 2016 and came into effect on May 25, 2018.
The GDPR is expected to tighten and consolidate data protection for EU citizens while also addressing the export of personal data outside the EU.
The regulation will harmonize data protection laws across the EU once it takes effect.
GDPR applies to all businesses operating within the EU, as well as enterprises operating outside the EU that sell goods or services to EU customers or businesses.
As a result, practically every large organization in the world will need to implement a GDPR compliance strategy.
If you’re a small business, well, any size business, for that matter, GDPR means you’ve got a whole new set of legal duties to comply with.
To begin with, the law allows individuals to ask enterprises to:
- Confirm what personal information they have on them.
- Describe how and where that data is saved, as well as the purposes for which it is used.
- Provide them with a free electronic copy of the information.
- Stop distributing the information, ensure that third parties are not using it, and destroy the information. This is called the right to be forgotten.
GDPR applies whenever a business collects or tracks the personal data of an individual who is physically located in the EU.
The law defines personal data as “any information relating to an identified or identifiable natural person.”
In other words, data is personal data and, so, protected by GDPR if it can be used to reveal an individual’s identity. This includes:
- Name, age, date of birth, country of birth, and country of residency are examples of personal information.
- Photographs or videos.
- Forms and documents
- A website’s IP address or specific website settings.