General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation (GDPR) came into force on the 25th May 2018
GDPR replaces the previous EU Data Protection regulation and intends to:
- strengthen the data protection offered to individuals regarding their personal information. Personal information is defined as information that relates to an identified or identifiable individual e.g. this could be a name, IP address, etc.;
- standardise data privacy laws across the European Union (EU);
- empower all EU citizens when it comes to data privacy;
- change the way organisations approach data privacy.
The regulation applies to all organisations that offer goods and services or monitor the behaviour of EU citizens in any way. It covers both EU and non-EU based organisations.
Who does GDPR apply to?
GDPR applies to both controllers and processers of data.
A controller of data determines the purposes and means of processing personal data and has legal requirements under the new regulations e.g. to maintain records of personal data and processing activities.
A processor of data is responsible for processing personal data on behalf of a controller and ensure processors comply with GDPR.
GDPR includes an accountability principle i.e. businesses must demonstrate compliance that includes any data processing supply chain the business might have. As a result GDPR is a matter for the entire organisation – not just for procurement.
The GDPR sets out seven key principles for your approach to processing personal data:
- Lawfulness, fairness and transparency;
- Purpose limitation;
- Data minimisation;
- Storage limitation;
- Integrity and confidentiality (security);
The Information Commissioner’s Office (ICO) has issued specific guidance on GDPR and who is affected by it. You should refer to this guidance for more detailed information.