General Data Protection Regulation-GDPR
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros (GDPR.eu).
When we are talking about GDPR (General Data Protection Regulation) we are talking about data privacy. Data privacy is concerned with the collection, handling, and disclosure of personal data. Data privacy and information security are different concepts. Data privacy protects individuals’ rights and freedoms, information security is to protect an organization’s assets and interests. Personal data is important in data privacy, on the other hand, any information asset which is valuable to the organization is in the information security’s scope.
Personal data is the key concept in data privacy. At that point defining personal data term is crucial. Personal data is the data which is related to an identified person. It can be name, ID number, personal e-mail address, location, IP, photo, CCVT recording etc. Personal data can be classified in special categories like, racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, medical records, health data and sexual orientation. Personal data is in process and there are some terms used in this process. Data subject is the one who can be identified directly or indirectly. Data controller is the entity that determines the purposes and means of data processing. Data processor is the entity that processes personal data. Processing of personal data the is an action on the personal data like storing, deleting, viewing etc.
Key principles of GDPR
GDPR is a European privacy law which came into action in 2016 about data privacy. It strengthens the control of data subject on its data, brings strict obligations to data controllers, provides a set of rules and regulations for member countries.
Key elements of GDPR
There must be a legal reason to process the data, the data processor should be open to the data subject in its data processing process (Lawfulness, fairness, and transparency)
The purpose of processing any personal data must be specified, documented, and clearly communicated to data subjects (Purpose limitation)
The smallest amount of data should be collected to complete the said purposes (Data minimization)
The personal data being processed must be accurate and up to date (Accuracy)
Personal data that is no longer necessary must be either anonymized or erased (Storage limitation)
Personal data must be kept confidential and secure from internal and external threats (Integrity and confidentiality (security)
Data controller must be able to demonstrate compliance with data protection regulation and principles (Accountability)