The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The regulation was adopted on 27 April 2016. It applies from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments.

The new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.

The GDPR is a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover. 

The regulation applies if an organization that collects, or process, data from EU residents or persons is based in the EU. The Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.

According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

In order to be able to demonstrate compliance with the GDPR, the organization should implement measures which meet the principles of data protection by design and data protection by default. This require that data protection measures are designed into the development of business processes for products and services.

Such measures include encrypting personal data.