The General Data Protection Regulation (GDPR) is a European Union regulation on Data Protection in the European Union (EU) and the European Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Economic Area (EEA).
The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR’s goals are to enhance individuals’ control and rights over their personal information and to simplify the regulations for international business.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
To go in depth
The General Data Protection regulation (GDPR) outlines 6 data protection principles that summarise its many requirements.
- Lawfulness, fairness, and transparency You must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation You must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
- Data minimisation You must ensure that the personal data you process is adequate, relevant, and limited to what is necessary in relation to your processing purpose.
- Accuracy You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
- Storage limitation You must delete personal data when you no longer need it. The timescales in most cases aren’t set. They will depend on your business’ circumstances and the reasons why you collect this data.
- Integrity and confidentiality You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
The GDPR includes an additional principle, accountability, which acts as an overarching set of requirements related to the other six. By achieving accountability, organisations demonstrate that they have the necessary documentation to prove that they are meeting their compliance requirements.
The GDPR: Understanding the 6 data protection principles