The General Data Protection Regulation (GDPR) is a strict, far-reaching privacy and security law passed by the European Union (EU) in May of 2018. It applies to any organization that manages and processes data relating to people in the EU in any capacity, regardless of where the organization is based or operates. Understanding and abiding by the GDPR has become a necessary focal point for organizations across the world, as the failure to comply with any of its various privacy and security standards can result in notoriously large fines and penalties.
Considered a modern extension of the right to privacy, as established in 1950 via the European Convention on Human Rights, the GDPR is the latest, most relevant attempt to integrate the need for data protection as a fundamental aspect of the law. The first regulation of its kind was established in 1995 as the European Data Protection Directive, the standards of which were quickly outgrown by rapid advancements in internet technology in the 2000s. In response to various data breaches and legal concerns continuing to crop up in the following years, the GDPR was drafted with the goal of implementing personal data protections that were comprehensive and could keep up with the expansion of modern technology.
In one sense, the GDPR can be heralded as a triumph for basic human rights, but in another it can represent an obstacle, particularly for small to medium sized organizations hoping to remain in compliance with its various articles. The GDPR itself is a sprawling document, its potential applications numerous, and is difficult to navigate without qualified legal advice. If an organization processes any kind of personal data relating to individuals in the EU, whether it’s managing documentation of some kind, or providing goods and services, the GDPR will apply to that organization. Further, it is not enough for an organization to simply know it is compliance with the regulation, but it must also be able to demonstrate how it is in compliance.
At a glance, the GDPR data principles to be observed and upheld by organizations are as follows:
- Processing must be lawful, fair, and transparent.
- Organizations must adhere to a purpose limitation, and may only process data for specific and legitimate purposes that have been explained in clear terms to the individual before processing.
- All processing must be carried out in the interest of data minimization, collecting and processing no more data than is necessary for the specified purpose.
- Organizations must maintain the accuracy of all data within its control, and keep up to date documentation of all processing activities.
- Organizations must adhere to strict storage limitations, and may only store personal data for as long as is appropriate for the specified purposes of processing.
- All actions must be performed in the interest of integrity and confidentiality, ensuring all personal data in an organization’s control is ultimately secure, and encrypted when necessary.
- Organizations must accept accountability and are responsible for being in compliance with all the above principles.
While the GDPR provides individuals with novel privacy rights, making it an overall positive development in the history of personal autonomy, organizations should be careful to prioritize compliance, and not to underestimate the difficulty of its language. New protections for personal data come with new responsibilities for those in a position of control over its use, and organizations should remain diligent, seeking assistance and outside resources wherever necessary to ensure full compliance in all circumstances.