The General Data Protection Regulation (GDPR) is a strict, far-reaching privacy and security law passed by the European Union (EU) in May of 2018. It applies to any organization that manages and processes data relating to people in the EU in any capacity, regardless of where the organization is based or operates. Understanding and abiding by the GDPR has become a necessary focal point for organizations across the world, as the failure to comply with any of its various privacy and security standards can result in notoriously large fines and penalties.
Considered a modern extension of the right to privacy, as established in 1950 via the European Convention on Human Rights, the GDPR is the latest, most relevant attempt to integrate the need for data protection as a fundamental aspect of the law. The first regulation of its kind was established in 1995 as the European Data Protection Directive, the standards of which were quickly outgrown by rapid advancements in internet technology in the 2000s. In response to various data breaches and legal concerns continuing to crop up in the following years, the GDPR was drafted with the goal of implementing personal data protections that were comprehensive and could keep up with the expansion of modern technology.
In one sense, the GDPR can be heralded as a triumph for basic human rights, but in another it can represent an obstacle, particularly for small to medium sized organizations hoping to remain in compliance with its various articles. The GDPR itself is a sprawling document, its potential applications numerous, and is difficult to navigate without qualified legal advice. If an organization processes any kind of personal data relating to individuals in the EU, whether it’s managing documentation of some kind, or providing goods and services, the GDPR will apply to that organization. Further, it is not enough for an organization to simply know it is compliance with the regulation, but it must also be able to demonstrate how it is in compliance.
At a glance, the GDPR data principles to be observed and upheld by organizations are as follows:
While the GDPR provides individuals with novel privacy rights, making it an overall positive development in the history of personal autonomy, organizations should be careful to prioritize compliance, and not to underestimate the difficulty of its language. New protections for personal data come with new responsibilities for those in a position of control over its use, and organizations should remain diligent, seeking assistance and outside resources wherever necessary to ensure full compliance in all circumstances.