The General Data Protection Regulation, short GDPR, is the EU's data privacy and security law. The GDPR is based on the "seven core principles":
- Purpose limitation,
- Fairness, lawfulness, and transparency,
- Data minimization,
- Storage limitation,
- Accuracy,
- Confidentiality and integrity, and
- Accountability.
There are also some ideas that give the GDPR some teeth.
- Every data subject has rights, such as information and access, but also rectification and erasure of their data. And they may lodge a complaint with a supervisory authority.
- Data processors need to implement technical and organizational measures to protect data, they need records of their data processing activities, and in certain cases they must appoint a data protection officers. Data breaches must be reported to the supervisory authorities.
- Data cannot simply be transferred to other jurisdictions with a lower standard of data protections.
- There are penalties and fines for noncompliance with the GDPR. And those can be hefty: up to €10 million or up to 4% of the annual world-wide turnover in case of a business.