The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

Scope Checklist

 Personal data: Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

 Data processing: Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.

 Data subject: The person whose data is processed. These are your customers or site visitors.

 Data controller: The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.

 Data processor:A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like Proton Mail.

Data protection principles

 Lawfulness, fairness and transparency: Processing must be lawful, fair, and transparent to the data subject.

 Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

 Data minimization: You should collect and process only as much data as necessary for the purposes specified.

 Accuracy: You must keep personal data accurate and up to date.

 Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose.

 Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).

 Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all these principles.

Accountability

The GDPR says data controllers must be able to demonstrate they are GDPR compliant. And this isn’t something you can do after the fact: If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant. Among the ways you can do this:

 Designate data protection responsibilities to your team.

 Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.

  Train your staff and implement technical and organizational security measures.

 Have Data Processing Agreement contracts in place with third parties you contract to process data for you.

 Appoint a Data Protection Officer (though not all organizations need one. For More Information Please Visit https://gdpr.eu/