In our day to day lives, almost every aspect revolves around data. From social media companies, to retailers, banks and governments — almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number and more all collected, analyzed and most importantly, stored by organizations.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
The regulation applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organization based outside the EU if they collect or process personal data of individuals located inside the EU.
The GDPR aims primarily to give control to citizens and residents over their own personal data and to simplify the regulatory environment for international business in the European Union to fully benefit from the digital economy. It also addresses the export of personal data outside the EU and EEA.
Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners or face penalties for not doing so.
One of the major changes GDPR will bring is providing consumers the right to know when their data has been hacked. Organizations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.
This legislation contains 99 articles, setting out the rights of individuals and classing the organizations into “controllers” or “processors”. The Controllers processes or directs the collections of information while the processors carry out the actual actions of data i.e they process the personal data on behalf of the controller,
These regulations turn what is considered good security practice into a legal minimum, introducing established information security concepts into data protection legislation, including:
- Minimization of personal data collected.
- Protecting the classic “confidentiality, integrity, and availability” of personal data.
- Managing, limiting and controlling access to personal data.
- Resilience of processing systems and services, and the ability to restore availability to personal data in the event of an incident
- Regular testing of the effectiveness of measures implemented