The General Data Protection Regulation (GDPR) is a regulation which intends to strengthen and unify data protection for individuals within the European Union (EU).
The GDPR covers personal data. (Sometimes referred to as personally identifiable information – PII). This includes names, addresses, phone numbers, account numbers, email and IP addresses.
The goal of the GDPR is to give control and power over personal data back to users. It’s your personal data but in many cases you’re not really in control of it. The new law is a significant development for personal privacy which aims to return the balance back in favour of the individual.
The GDPR takes into account the many advances in new technology and media.
When the existing Data Protection Act (DPA) was introduced, in 1998, the internet was very new. People didn’t understand the full implications of what it would lead to. Additional developments such as social media and cloud computing have drastically altered the information landscape. It is clear that far more information is now being held, processed and transferred. Our personal data now contains many more types of information and it is used in more ways than ever before.
The GDPR adds new requirements for documenting procedures, performing risk assessments, notifying the consumer or user and authorities when there is a breach, as well as strengthening rules for data minimisation.
In summary, the GDPR legislates a lot of common sense data security and privacy ideas: minimise collection of personal data, delete personal data that’s no longer necessary, restrict access and secure data through its entire lifecycle.