GDPR

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a legal framework that sets out a number of guiding principles for the collection and processing of personal information of individuals within the European Union (EU) and the European Economic Area (EEA). On 25th May 2018 the GDPR came into effect across the EU. GDPR places new requirements on all organizations that handle EU personal data.

What exactly is regulated by the GDPR?

The GDPR regulates the collection, storage, transfer, or use of data of EU individuals. It covers any organization that processes personal data of EU individuals. It doesn’t matter whether or not the organization has a physical base in the EU – GDPR still applies. Organizations must be aware that the concept of “personal data” is very broad and covers any data relating to an identified or identifiable data subject. GDPR also addresses the export of personal data outside the EU and EEA areas. Subsequently, it must be noted that the GDPR does not require EU personal data to stay in the EU.

Does GDPR change privacy law?

Yes. The GDPR is an all-embracing data protection law in the EU. It is a new law, and replaces the unconnected national data laws, which previously existed across EU, with a single directly enforceable one. The biggest change that comes with GDPR is the expanded data privacy rights of EU individuals. It also creates a necessity for EU based individuals to be notified of any data breaches. Furthermore, it places added accountability requirements on organizations, as well as an onus on them to provide added security for the protection of their customer’s data.

How does GDPR improve customer experience?

GDPR helps companies increase transparency. This is vitally important in today’s business environment. Customers are often concerned about their data and what it is being used for. GDPR makes this information more transparent and clearly states how the data is processed. As a primary aim it also gives individuals the opportunity to control their own data, whilst simultaneously simplifying the regulatory environment for international business by unifying disparate privacy regulations within the EU.

GDPR FAQs

Yes, GDPR has extraterritorial reach. Non-EU organizations processing data of EU residents must comply or face fines and restrictions.

The Data Protection Officer (DPO) is a pivotal figure in ensuring an organization’s GDPR compliance. They oversee data protection activities, act as liaisons for individuals and supervisory authorities, and provide crucial advice on GDPR-related obligations.

Yes, but only if the destination country ensures an adequate level of data protection. Transfers can also be made using mechanisms like Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and Approved codes of conduct or certification mechanisms.

Yes, data backups must comply with GDPR requirements. This means organizations are obligated to secure backups using encryption to protect against unauthorized access, retain them only for as long as necessary to fulfill their intended purpose, and ensure that backups are accounted for in their data breach response plans to mitigate risks effectively.