What is General Data Protection Regulation (GDPR)?« Back to Questions List

General Data Protection Regulation (GDPR) is the privacy law enacted by European Union which will be in force from May 25, 2018. This law covers all organizations that handles any personal information of residents in European Union (EU).  However, the organization need not be situated in European Union to come under the purview of the regulation. It can be an organization based in other parts of the globe. The regulation applies to a natural person or a living individual.

The purpose of General Data Protection Regulation(GDPR)  is to make organizations handling personal information of EU residents  responsible for the privacy and security of such data. Any leakage of such data from their possession can lead to severe financial, legal and reputational risks for the organization which may even adversely affect the existence itself. Hence organizations must improve the security features of data storage and data handling by implementing proper security features. 

Right to privacy of people gets topmost priority and hence organizations must respect the right by collecting only essential personal data required for the service offered and by safeguarding such data collected.  Personal information means any information that could be used to identify a person. Privacy obligations apply to any information,  that reveals the identity of a person by itself or along with other pieces of information.  Addresses, date of birth, passport numbers, biometrics , driving license numbers, financial details, citizen membership numbers,  health history, or information relating to a person’s sexual, religious, or political orientation etc come under such sensitive personal information.  

Some of the main principles of  GDPR are:
•    Personal data of individuals shall be processed lawfully, fairly, and in a transparent manner. Such data shall be collected only with explicit consent after being told what  are being collected and for what purpose. 
•    Personal data shall be collected only for specified, explicit, and legitimate purposes. It shall not be utilized for any other purposes other than the stated purpose. 
•    Personal information shall be maintained and processed only so long as required. 
•    Personal data must be kept up-to-date with accuracy.
•    Individuals have the right to demand a copy of their data, or can even demand that their personal data no longer be used. In some cases, they can get it deleted permanently. 

Organizations must ensure adequate security measures to protect personal data against accidental or unlawful destruction, cyberattacks, loss, alteration, or disclosure. They are also required to properly train the persons handling such data to ensure security and protection of information.  The risks associated with data leakage are high and hence organizations should put in the best practices and safeguards with periodical review and upgradation, for maintenance of personal information. Proper documentation, logs and compliance shall be ensured in all cases. Whenever an organisation share data with third parties, it shall ensure that the third party too has best practices and safety measures to keep secrecy of personal data. 

If at all any breach happens, the organization shall report the details within 72 hours of becoming aware of such data breach. Punishment for breach of GDPR can lead to penalties up to 4% of global revenue. This penal provision makes GDPR violation one of the most costly global regulation.    
 

Cyber security strategies to safeguard from cyberattacks

What is SIM swap cyberattack on bank accounts?