What is GDPR?

The General Data Protection Regulation (GDPR) is widely regarded as the world’s strictest security and privacy law, promulgated by the European Union (EU) to regulate any organization that collects or processes the data of EU citizens. The European Parliament signed GDPR into law in 2016, requiring all organizations to comply by May, 2018. 

Why was the General Data Protection Regulation introduced? 

The EU introduced GDPR to “harmonize” data privacy rules across Europe and replace the Data Protection Directive 1995. Its primary goal is to provide greater rights and protection to EU citizens and improve how organizations handle consumer data. GDPR is built on over four years of planning and previous data protection principles, modernizing and strengthening security and privacy laws.

What are the General Data Protection Regulation’s principles? 

GDPR’s seven main principles govern the lawful processing of personal data. Processing includes data collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure, or destruction of personal data. 

Those principles are: 

  • Lawfulness, fairness, and transparency – GDPR requires organizations to be transparent, open, and honest with data subjects about who they are, their intentions, how they process data, and why they do so.
  • Purpose limitation – GDPR requires organizations to only collect data for “specified, explicit and legitimate purposes.”
  • Data minimization – GDPR requires organizations only to collect the data necessary for their purposes.
  • Accuracy – GDPR requires organizations to set up checks to correct, update, or erase incorrect or incomplete personal data.
  • Storage limitation – GDPR prevents organizations from storing data for longer than necessary.
  • Integrity and confidentiality – GDPR requires organizations to keep data secure from internal or external threats.
  • Accountability – GDPR requires organizations to provide adequate documents to prove compliance with data processing policies.

Who and what is subject to the General Data Protection Regulation? 

GDPR applies to any organization or individual that processes EU citizens’ data, irrespective of where the organization is headquartered. Personal data is defined as any information that could directly identify a living person. This is codified in an extensive list that includes: the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data. Unique identifiers derived from digital footprints or biometrics are also protected under GDPR.

Individuals and organizations subject to GDPR are classified into one of two categories: 

  • Controllers – These individuals or organizations are primary decision-makers and have total control over the purposes and means of processing personal data. When multiple groups control data, they are known as joint controllers.
  • Processors – These individuals or organizations act on behalf and the instruction of controllers and are subject to less stringent requirements.

What rights does the General Data Protection Regulation grant individuals? 

GDPR enhances individuals’ control over organizations and individuals using their data. These rights are: 

  • The Right to be Informed – Organizations must fully inform people about the collection and use of their data and notify them in the event of a data breach
  • The Right of Access – Organizations must allow individuals to view their data, explain why it was collected, and to whom it was disclosed within one month of a request, free of charge.
  • The Right to Rectify Information – Organizations must correct or complete data within one month of a request.
  • The Right to be Forgotten – Organizations must delete user information when it’s irrelevant or if the user withdraws consent.
  • The Right to Restrict Data Processing – Individuals can request to limit how their data is processed.
  • The Right to Data Portability – Upon request, organizations must allow individuals to view their data in a clear and accessible format.
  • The Right to Object – Individuals can object to processing of their data by an organization.
  • Automated Individual Decision-Making – Organizations cannot subject individuals to automated decision-making processes with significant personal effects, such as data profiling.

The future of the General Data Protection Regulation

The future of GDPR will likely involve further adaptation and evolution to address emerging technological challenges and protect individual privacy. As data collection and processing methods advance, there will be a growing emphasis on regulating artificial intelligence, machine learning, and automated decision-making systems. The EU may introduce stricter enforcement measures and penalties to ensure compliance. Cross-border data transfers and international data protection standards will remain key focus areas. Additionally, emerging issues such as facial recognition, biometric data, and the Internet of Things (IoT) will necessitate updates to the regulation, fostering a more comprehensive and privacy-centric approach to data management.

For more essential cybersecurity definitions, check out our other blogs below: 

21 Essential Cybersecurity Terms You Should Know

40+ Cybersecurity Acronyms & Definitions

Return to Cybersecurity Glossary

Scroll to top