General Data Protection Regulation (GDPR)

The General Data Protection Regulation, short GDPR, is the EU's data privacy and security law. The GDPR is based on the "seven core principles":

  • Purpose limitation,
  • Fairness, lawfulness, and transparency,
  • Data minimization,
  • Storage limitation,
  • Accuracy,
  • Confidentiality and integrity, and
  • Accountability.

There are also some ideas that give the GDPR some teeth.

  • Every data subject has rights, such as information and access, but also rectification and erasure of their data. And they may lodge a complaint with a supervisory authority.
  • Data processors need to implement technical and organizational measures to protect data, they need records of their data processing activities, and in certain cases they must appoint a data protection officers. Data breaches must be reported to the supervisory authorities.
  • Data cannot simply be transferred to other jurisdictions with a lower standard of data protections.
  • There are penalties and fines for noncompliance with the GDPR. And those can be hefty: up to €10 million or up to 4% of the annual world-wide turnover in case of a business.