GDPR stands for General Data Protection Regulation and, legally, it’s the EU 2016/679 regulation about protection of personal data.
GDPR defines the rights and obligations regarding the gathering, processing and movement of EU citizens personal data. It provides a high and coherent protection level, equivalent in all member states, and is extensible to external EU organizations that work with EU citizens personal data.
The obligations related to the manipulation of personal data now cover things like the right to be forgotten and organizations are now obligated to inform the regulator when they have a personal data breach.
So, what is “personal data”?
In a simple way, it’s all the data about a person that an organization collects, stores and transmits: web forms, cookies, user preferences, medical reports, receipts, etc.. GDPR enforces the lawful, fair and transparent processing of the personal data in relation to the data subject.
In the GDPR legislation, personal data is defined as
any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity
Check Article 4 for detail.
How about highly sensitive data?
GDPR takes into consideration special types of data that are highly sensitive, such as health, criminal convictions, sexual life, political, genetical, etc.. In such cases, special rules are applicable.
Check Article 9 for detail.
Who does this applies to?
This applies to all people and organizations that collect, gather, transmit or process in any way European Union citizens personal data. Yes, this means that non-EU organizations must comply with this regulation when dealing with EU citizens.
Micro, small and medium-sized organizations have a somewhat relaxed compliance levels. It includes a derogation for organizations with fewer than 250 employees with regard to record-keeping.
Public and criminal law organizations are covered by special rules since they address specific national and European issues.
How hard is it for me to comply with GDPR?
As it’s obviously understandable, it will depend on how big your organization is, what it does and how it already addresses the personal data processing.
The best map road for compliance starts with an assessment performed by a multidisciplinary team composed by GDPR certified people, GDPR knowledgeable lawyers and a pragmatic IT team that truly understands GDPR.
Get in touch with us if you need help on the subject.