The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise regardless of its location and the data subjects’ citizenship or residence that is processing the personal information of individuals inside the EEA.
The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide flexibility for certain aspects of the regulation to be adjusted by individual member states.
The regulation became a model for many other laws across the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina and Kenya. As of 2021 the United Kingdom retains the law in identical form despite no longer being an EU member state. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.
GDPR’s seven principles are: Lawfulness, Fairness and Transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and Confidentiality (security); and Accountability.
The data minimisation principle isn’t new, but it continues to be important in an age when we are creating more information than ever. Organisations shouldn’t collect more personal information than they need from their users.
Integrity and confidentiality (Security)
Under 1998’s data protection laws, security was the seventh principle outlined. Over 20 years of being implemented a series of best practices for protecting information emerged, now many of these have been written into the text of GDPR.
Personal data must be protected against “unauthorised or unlawful processing,” as well as accidental loss, destruction or damage. In plain English this means that appropriate information security protections must be put in place to make sure information isn’t accessed by hackers or accidentally leaked as part of a data breach.
Importance of Personal Data
Data protection is the process of safeguarding important information from corruption, compromise or loss.
The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates. There is also little tolerance for downtime that can make it impossible to access important information.
Storage technologies for protecting data include a disk or tape backup that copies designated information to a disk-based storage array or a tape cartridge. Tape-based backup is a strong option for data protection against cyber-attacks. Although access to tapes can be slow, they are portable and inherently offline when not loaded in a drive, and thus safe from threats over a network.
Organizations can use mirroring to create an exact replica of a website or files so they’re available from more than one place.
Storage snapshots can automatically generate a set of pointers to information stored on tape or disk, enabling faster data recovery, while continuous data protection (CDP) backs up all the data in an enterprise whenever a change is made.
Key pieces of information that are commonly stored by businesses, be that employee records, customer details, loyalty schemes, transactions, or data collection, need to be protected. This is to prevent that data from being misused by third parties for fraud, such as phishing scams and identity theft.
Common data that your business might store, include:
- Telephone numbers
- Bank and credit card details
- Health information