The European Union General Data Protection Regulation (GDPR) gives EU citizens greater control over their personal data and reshapes the way organizations must approach data privacy. GDPR applies to both organizations located within the EU and organizations located outside the EU that handle the personal information of EU residents.
GDPR broadly defines personal data as any information relating to an identified or identifiable natural person. This can include name, address, IP address, health information, financial data, and more.
Key regulatory requirements:
- Establish a legal basis for data processing
- Obtain consent from data subjects in a way that is clear, specific, informed, and unambiguous
- Honor data subject rights, including the right to erasure
- Implement technical and organizational safeguards to ensure data security
- Send timely notifications in the event of a data breach
- Appoint a data protection officer (if applicable)
- Design products and services with privacy in mind
- Conduct a data protection impact assessment to explain how you identify and minimize risks
- Restrict personal data transfers outside of the EU
- Determine if data residency laws are applicable to your organization
- Complete privacy awareness training at least annually
The GDPR is enforced by the European Data Protection Board (EDPB), made up of data protection authorities from each of the 27 EU member states. Companies that fail to comply with GDPR can be fined up to €20M or 4% of their annual revenue for the previous fiscal year, whichever is greater.
