GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).
It’s intended to strengthen data protection for all people whose personal information fall within its scope of application , putting personal data control back into their hands.
Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person.
This applies even to data that has been pseudonymized or encrypted as long as the encryption / anonymization is reversible. In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymized data .
Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, personal email addresses, political opinions, and sexual orientation data.
Examples of non-personal data include company registration numbers, generic company email addresses such as firstname.lastname@example.org , and anonymized data.
For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.
The GDPR can apply where:
This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not. As a matter of fact, this PwC survey showed that the GDPR is a top data protection priority for up to 92 percent of US companies surveyed.
A common misconception is that only EU users are covered by the protections of the GDPR, however the protections of the GDPR also extend to users outside the EU if the data controller is EU based . Therefore, if you are an EU-based data controller you must, and by default, apply GDPR standards to ALL your users.
The GDPR became fully enforceable on May 25th, 2018 .