The dawn of the Information Age has undoubtedly changed many aspects of our day-to-day lives. Seemingly impossible amounts of information are at our fingertips constantly, and it’s easier than ever to do our shopping, do our banking, and communicate with each other.
At the same time, we are sharing increasing amounts of personal information over the Internet, and there is always the risk of bad actors finding our personal information. Numerous recent examples, including breaches of data held by Equifax, Uber, MyFitnessPal, and others, demonstrate that this risk is frequently a reality.
Privacy concerns have led to pressure from activist groups and governments around the globe to ensure certain protections are in place for those of us who have data out there on the Web. The European Union has led the charge in many ways when it comes to this pressure. Case in point: E.U.’s General Data Protection Regulation (GDPR).
The GDPR is a wide-ranging set of regulations that govern how the data of E.U. subjects are to be stored and maintained. Even for businesses located outside the E.U., the GDPR has the potential to represent a major compliance challenge. Over the course of several posts, we’ll cover this extensive topic, beginning here with a brief overview of the basics of the regulations, followed by the key provisions and tips for training staff on compliance.
The GDPR was enacted in April 2016 following years of preparation and debate. The law is effective as of May 25, 2018.
Who Is Subject to the Rules?
According to EUGDPR.org, “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
The GDPR governs how “personal data” need to be handled. EUGDPR.org explains that personal data are “[a]ny information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
The GDPR is a major piece of transnational legislation with global implications. It would be impossible to cover the entire subject in three short blog posts, but hopefully, our very high-level overview will provide enough information for readers to understand where they need to do further research.