GDPR (Eng. General Data Protection Regulation – general regulation for the protection of personal data) is a regulation of the European Union by which European Parliament, The Council of the European Union and The European Commission is strengthening and unifying the protection of personal data of all persons in the European Union (EU). The regulation is also aimed at exporting data from the EU.
The main objectives of GDPR
- to provide individuals with the opportunity and tools to control their personal data;
- the introduction of modern standards for the protection of personal data;
- the development of the EU digital space for the protection of personal data;
- ensuring strict compliance with the rules by all participants, including the competent authorities of the EU Member States;
- legal support for the international transfer of personal data.
GDPR covers the following types of data
- Personal data is data that can be associated with an individual and that allows you to identify that person. (for example: name, address, date of birth). Personal data may also include encoded information (“anonymous” information) if it can be associated with an individual, regardless of how obscure or technical it is.
- Confidential personal data – data that contains additional information about personal data. (for example: ethnic origin, religious views, etc.) Confidential personal data also includes biometric data and DNA data.
Scope of GDPR
The GDPR covers the fully or partially automated processing of personal data of EU citizens in the European Union and outside it by individuals or legal entities, government agencies and other institutions and organizations.
Preparing for the GDPR
Based on this publication prepared by the European Union Publications Bureau, there are 7 steps that an organization can take to prepare for the General Data Protection Regulation:
1) Identification and inventory of the collected and used personal data, the purposes of these actions.
2) Informing customers, employees and other individuals about the need to collect their personal data
3) Determination of the required periods of personal data storage
4) Ensuring the protection of personal data that you process (development of security parameters for your IT system, security of storing paper documents, personal data in the cloud).
5) Ensuring the safety of data processing documentation
6) Monitoring compliance with personal data security rules when working with subcontractors
7) Appointment of a specialist responsible for ensuring data protection.