Scribd
Upload
25 views3 pages

GDPR Key Notes

The General Data Protection Regulation (GDPR), effective from May 25, 2018, is a comprehensive data privacy law aimed at protecting the personal data of EU citizens and residents. It applies to both EU and non-EU organizations that process data related to EU individuals, imposing severe penalties for non-compliance. Key principles include lawfulness, transparency, data minimization, and individuals' rights such as access, rectification, and erasure of their personal data.

Uploaded by

riyazoptimist1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
25 views3 pages

GDPR Key Notes

The General Data Protection Regulation (GDPR), effective from May 25, 2018, is a comprehensive data privacy law aimed at protecting the personal data of EU citizens and residents. It applies to both EU and non-EU organizations that process data related to EU individuals, imposing severe penalties for non-compliance. Key principles include lawfulness, transparency, data minimization, and individuals' rights such as access, rectification, and erasure of their personal data.

Uploaded by

riyazoptimist1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

General Data Protection Regulation (GDPR) - Key Notes

The General Data Protection Regulation (GDPR) is widely considered the


most powerful data privacy law globally.
 Effective Date: May 25, 2018
 Predecessor: It succeeded the 1995 EU Data Protection Directive,
necessitated by technological changes and how organizations process
data.
 Purpose: To protect the data of EU citizens and residents

Scope of Application
GDPR applies broadly to organizations: * Organizations within the EU:
Even if they store data outside the EU. * Organizations outside the EU: *
If they offer goods or services to EU people. * If they use websites or web
tools to monitor the behavior of EU citizens and residents (e.g., Google
suggestions based on activity).

Consequences of Non-Compliance
Non-compliant companies, regardless of location, face severe penalties: *
Fines: Up to 4% of their global revenue or 20 million pounds,
whichever is higher. * Compensations: Affected individuals can seek
compensation from these organizations.

Key Terms and Definitions


Understanding GDPR requires familiarity with specific terms:
 Personal Data (PII - Personally Identifiable Information):

o Any information related to an individual that can be used to


identify them.
o Can be referred to as personal data or personal information.
o Direct Identifiers: Unique to a person (e.g., name, social
security number).
o Indirect Identifiers: (e.g., race, color, age) which, when
combined, can identify a person.
o Examples: Website cookies that store user details for tracking
purposes are considered PII, requiring explicit consent.
 Data Processing: Any action performed on data, such as collecting,
storing, using, or deleting.
 Data Subject: The person whose data is being processed.

 Data Controller: The person or entity who decides how data is


processed. If you decide how data is processed in your organization,
you are the data controller.

 Data Processor: A third-party entity that processes data on behalf of


the data controller (e.g., a company outsourcing payroll processing).

 Data Protection Officer (DPO):

o Required under certain conditions.


o Ensures that the organization complies with GDPR.

Consent and Exceptions


 Explicit Consent: Websites must get explicit consent (e.g., for cookie
policies) because they use cookies to store user details for tracking
purposes, which could be PII.
 Exceptions:
o GDPR primarily applies to organizations engaged in
professional or commercial activity; private data collection
(e.g., for a party) is not covered.
o Small to medium-sized organizations (under 250 employees)
must still comply but are not required to keep a record of data
processing.

Seven Principles of GDPR


Anyone processing data must adhere to these principles:
1. Lawfulness, Fairness, and Transparency: Data processing must be
lawful and transparent to the data subject.
2. Purpose Limitation: Data controllers must process data only for the
purpose explicitly specified to the data subject at the time of collection
and not for other purposes.
3. Data Minimization: Data controllers must collect and process only
the data absolutely necessary for the specified purpose, avoiding
extra, unrequired information.
4. Accuracy: Data must always be accurate and up-to-date.
5. Storage Limitation: Data controllers must store data only for as long
as necessary.
6. Integrity and Confidentiality (Security): Data processing must
ensure appropriate security, integrity, and confidentiality.
7. Accountability: The data controller must be able to demonstrate
compliance with all GDPR principles.

Data Security & Breach Notification


 Security Controls: Data controllers must handle data securely by
implementing controls like multi-factor authentication, end-to-end
encryption, and limiting system access.
 Data Breach Notification: Organizations must inform data subjects
of a data breach within 72 hours to avoid penalties.

Conditions for Lawful Data Processing


Data processing is permitted under specific conditions: * Clear Consent:
The data subject has provided clear consent (e.g., opting into newsletters). *
Contractual Necessity: Processing is required to enter into a contract
where the data subject is a party (e.g., background checks for property
leasing). * Legal Obligation: To comply with a legal obligation. * Vital
Interests: To save someone’s life. * Legitimate Interest: The organization
has a legitimate interest in processing the data.

Data Subject Rights


GDPR grants individuals several rights regarding their personal data:
1. Right to Be Informed: Data controllers must inform users about data
collection.
2. Right of Access: Users have the right to know about data processing,
including purpose and storage duration.
3. Right to Rectification: Users can correct inaccurate or incomplete
personal data.
4. Right to Erasure (Right to Be Forgotten): Users can request the
deletion of any information held about them by the data controller.
5. Right to Restrict Processing: Data subjects can request a
temporary change in data processing if they believe data is inaccurate,
illegally used, or no longer needed.
6. Right to Data Portability: Data controllers must store personal data
in a format that can be easily shared with others.
7. Right to Object: Data subjects have the right to object to the
processing of their personal data.
8. Rights in Relation to Automated Decision Making and Profiling:
Data subjects have the right not to be subject to decisions based solely
on automated processing.

You might also like