What is GDPR?

The new legislation replaces the Data Protection Directive which, given the pace of change over the last 20 years, is widely accepted as no longer fit for purpose in a data driven world. The following sentence within the official documentation issued by the European Union defines what the new legislation is looking to achieve.

“Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”

Much of what is required under GDPR is data protection best practice. The difference is that now data subjects (people) have more legal rights around knowing what information you hold on them, how you manage it, and how it is deleted (“the right to be forgotten”). Furthermore, GDPR introduces accountability and regulators may now levy noncompliance fines of up to 4% of a company’s global turnover.

GDPR applies to any organization that processes personal information about EU nationals. If your company is headquartered in a non-EU state such as the USA, but captures information about EU citizens (as is the case for most online businesses), you are still subject to GDPR rules.