In this section, you will find information regarding what GDPR is about and what are some of the key information you will need to support your projects.
GDPR applies to companies collecting and processing an EU citizen personal data. One might think that this means only EU companies are affected; this however is not true. GDPR also applies to foreign companies collecting and processing EU personal data for any EU citizen who is legally residing in an EU member state. Thus it also applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. So for example, a company using cloud solutions would be affected.
Unlike the directive that it replaces, GDPR is a regulation which means that it is automatically enforceable in member nations with the local authorities having to enact their own local legislation.
Breach notification must be done with-in 72 hours of discovery. The notification must be issued to both customers and the local DPA.
- Max fine: 4% of annual global turnover or €20million
- Tiered approach e.g. 2% for minimal violation
- Max fine imposed on most serious infractions
- Applies to data controllers and processors
These key terms and concepts are an important part of GDRP and wil regularly come up.
- Data Subject is the person who is providing Personal Data is some form or another. They can be a citizen of an EU member state or resident
- GDPR Personal Data Definition and what is covered under personal data is quite extensive covering simple items like name and address to genetic materials. Follow the link for more details.
- DPO or Data Protection Officer is like a CSO, CIO or similar that holds the responsibility on data protection for the organisation.
- DPA or Data Protection Authority is the government body enabled to collect and receive breach notifications as well as issue penalities.
- Data Controller is the organisation or company collecting the personal data and is usually the customer interface.
- Data Processor is an organisation or company that has been stores and processes personal data. This can the data controller or can be a 3rd party providing services (like a cloud service; e.g. Office 365)
These key terms and concepts are an important part of GDRP and will regularly come up.