What is GDPR?
The regulation applies regardless of where websites are based.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live outside the European Union (EU). Its goal is to give consumers control over their own personal data by holding companies accountable for how they process and distribute collected information.
The EU says GDPR is designed to “harmonise” data privacy laws across all its member countries, as well as provide greater protection and rights for consumers.
GDPR can be considered the strongest set of data protection rules in the world, and it places limits on what organizations can do with users’ personal data.
At the heart of the GDPR is personal data. In general, it is information that allows a living person to be identified directly or indirectly from available data. This can be something obvious, such as a person’s name, location data or username, or it can be something less obvious: IP addresses and cookie identifiers can be considered personal data. Under the GDPR, there are also several special categories of sensitive personal data that are given greater protection. Personal data includes information about racial or ethnic origin, political views, religious beliefs, trade union membership, genetic and biometric data, health information and data about an individual’s sex life or orientation. The main criteria for defining information as ‘personal data’ is that it enables the identification of an individual – pseudonymised data may still fall within the definition of personal data. Personal data is so important under the GDPR because the individuals, organizations and companies that are either “controllers” or “processors” of it are covered by the law.
Although it comes from the EU, GDPR can also apply to businesses that are based outside the region. If a US business, for example, does business in the EU, then the GDPR may apply.
GDPR principles applied to a website mean that all forms must ensure security of data transfer
Basic principles of GDPR:
- The principle of data minimization is not new, but it continues to be important in an age when we are creating more information than ever before.
- Organizations should not collect more personal information from their users than is necessary.
- Personal data must be protected against “unauthorized or unlawful processing” as well as against accidental loss, destruction or damage.
- Appropriate information security protections must be put in place to ensure that information is not accessed by hackers or accidentally leaked.
- The GDPR does not say what good security practices look like, as these are different for every organization. In general, appropriate information access controls should be implemented, websites should be encrypted, and pseudonymization is encouraged.
Personal data must be protected against “unauthorized or unlawful processing” as well as against accidental loss, destruction or damage.
Appropriate information security protections must be put in place to ensure that information is not accessed by hackers or accidentally leaked.
The GDPR does not say what good security practices look like, as these are different for every organization. In general, appropriate information access controls should be implemented, websites should be encrypted, and pseudonymization is encouraged.
What are your rights with GDPR?
The full rights of individuals under the GDPR are: the right to be informed, the right to access, the right to rectification, the right to erasure, the right to limit processing, the right to data portability, the right to object.
Many large technology companies have their own data portals where it is possible to download some of your information. For example, Facebook allows its users to download all their old images and posts.
The regulation also gives individuals the power to delete their personal data in certain circumstances.
One of the biggest and most talked about elements of GDPR is the ability for regulators to impose huge fines on businesses that do not comply with GDPR. If an organization does not process an individual’s data in the right way, it can be fined.
In theory, anyone who visits sites based in the European Union is protected. This includes everyone within the union itself and beyond its borders. The regulation also applies to an EU citizen whose data exists outside the union. And if you are a citizen of another country living in the EU, your data is also protected by law.