The General Data Protection Regulation (GDPR) is an European Union regulation scheduled to go into effect on 25 May 2018.
Coming into fruition after more than four years of deliberation (see timeline), the GDPR aims to standardize and strengthen data protection policies for residents of EU member nations. It replaces the prior Data Protection Directive (95/46/EC) of 1995 and, as a regulation instead of a directive, will apply immediately on enforcement date without requiring individual transpositions by member state legislation.
Does It Affect You?
GDPR affects you if you sell or store personal information on any citizen based within the EU, even if your business is outside the EU. It provides citizens of the EU and EEA with greater control over their personal data and assurances that their information is being securely protected across Europe.
According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What is "Personal Data"?
Personal data can be any information relating to an identifiable person who can be directly or indirectly identified in particular reference to an identifier (Who does the GDPR apply to? [From ICO Website]).
Does My Business Need To Appoint a Data Protection Officer (DPO)?
DPOs mustbe appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.