>

Glossary Home

What will I learn?

  1. What is GDPR?
  2. What is the purpose of the GDPR?
  3. Who must comply with the GDPR?
  4. Key terminologies used in the GDPR
  5. What are the rights of data subjects according to the GDPR?
  6. What are the key principles of the GDPR?
  7. What is the GDPR Compliance?
  8. How important is the GDPR compliance for organizations?
  9. What are the penalties for violating the GDPR?
  10. What are the guidelines for data breach notification under the GDPR?
  11. What are the guidelines for email retention under the GDPR?
  12. What are the other regional laws/regulations across the globe?
  13. What are the other major compliance standards apart from GDPR?

Glossary Home

GDPR (General Data Protection Regulation)

What is GDPR?

The GDPR (General Data Protection Regulation) is a legal framework designed to protect the personal data and privacy of individuals within the European Union (EU) and the European Economic Area (EEA). Effective from May 25, 2018, it replaced the 1995 Data Protection Directive. The GDPR strengthens privacy protections for individuals and imposes compliance requirements on organizations, balancing personal privacy rights with organizational responsibilities.

What is the purpose of the GDPR?

The purpose of the GDPR is to empower individuals by giving them control over their personal data, including rights to access, correct, delete, and manage its use. It enhances privacy protections, encourages transparency, and sets clear guidelines for organizations on collecting, processing, and storing data. The regulation also aims to improve data security and accountability, applying both within the EU and globally to businesses interacting with EU residents.

Who must comply with the GDPR?

The GDPR applies to all residents of EU member states. Businesses operating within the EU, as well as those outside the EU that serve EU residents, must comply. For example, a company based in Germany must adhere to the GDPR regulations as well as a company based in India providing services to residents of Germany must adhere to the GDPR regulations.

The GDPR has been implemented in the following EU and EEA countries:

AustriaDenmarkHungaryMaltaSlovenia
BelgiumEstoniaIrelandThe NetherlandsSpain
BulgariaFinlandItalyPolandSweden
CroatiaFranceLatviaPortugalIceland
CyprusGermanyLithuaniaRomaniaLiechtenstein
Czech RepublicGreeceLuxembourgSlovakiaNorway

Key terminologies used in the GDPR

  • Personal data: Any information relating to an identified/identifiable individual, whether it relates to his or her private, professional, or public life.
  • Data processing: Any operation performed on data, including collection, storage, use, or deletion.
  • Data subject: A natural person whose personal data is processed, such as a customer, employee, or contact person.
  • Data controller: An individual or organization that determines the purposes and means of processing personal data and is responsible for its management. (e.g.,an employer).
  • Data processor: A third party handling personal data on behalf of the controller (e.g., an email service provider).

What are the rights of data subjects according to the GDPR?

The GDPR grants data subjects several rights to control their personal data:

  • Right to be informed: They must be informed about how their data is collected, processed, and used.
  • Right of access: They can request access to view and get copies of their personal data.
  • Right to rectification: They can request corrections to inaccurate or incomplete data.
  • Right to be forgotten: They can request data deletion under certain conditions.
  • Right to restrict processing: They can request temporary restriction of data processing in specific cases.
  • Right to data portability: They can receive their data in a common format and transfer it to another organization.
  • Right to object: They can object to data processing for purposes like direct marketing or profiling.
  • Rights related to automated decision-making and profiling: They can reject decisions made solely through automated processing that have significant effects.

What are the key principles of the GDPR?

The GDPR establishes seven key principles to guide the organizations in the collection, processing, and management of personal data of individuals:

  • Lawfulness, fairness, and transparency: Organizations must inform data subjects clearly and transparently about how their data will be used, ensuring all processing is legal and fair.
  • Purpose limitation: Personal data should only be collected and used for specific, explicitly stated purposes.
  • Data minimization: Data collection should be limited to only what is necessary for the intended purpose.
  • Accuracy: Organizations must ensure that the data collected is accurate and kept up-to-date. Any inaccurate or outdated data must be corrected or deleted promptly upon request.
  • Storage limitation: Personal data should not be retained longer than necessary for the specified purposes.
  • Integrity and confidentiality: Data must be secured with appropriate measures to prevent theft, unauthorized access, or misuse.
  • Accountability: Organizations are responsible for ensuring and demonstrating compliance with the GDPR regulations.

What is the GDPR Compliance?

The GDPR compliance means an organization that falls within the scope of the GDPR meets the requirements for properly handling personal data as defined in the law.

How important is the GDPR compliance for organizations?

The GDPR compliance ensures the lawful and secure handling of personal data of EU citizens. The GDPR compliance is important for organizations/businesses because it can:

  • Avoid fines and penalties
  • Build customer trust
  • Improve operational efficiency
  • Mitigate security and privacy risks
  • Gain a competitive advantage over others in business

What are the penalties for violating the GDPR?

The GDPR outlines penalties for organizations/businesses that violate its regulations, categorized into two tiers:

  • First tier(Less severe violations): Fines can reach up to €10 million or 2% of the business's global annual revenue, whichever is higher.
  • Second tier(Severe violations): Fines can go up to €20 million or 4% of the business's global annual revenue, whichever is higher.

Additionally, data subjects have the right to seek compensation for damages resulting from the GDPR violations.

What are the guidelines for data breach notification under the GDPR?

The GDPR does not only regulate how organizations should protect personal data, it also stipulates what an organization should do after it has undergone a security breach that affects personal data. The GDPR requires organizations to notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it. Failure to issue a breach notification can result in a fine of up to €10 million or 2% of a company’s revenues.

What are the guidelines for email retention under the GDPR?

GDPR email retention guidelines emphasize data security by ensuring personal data in emails is stored safely, minimizing retention, and processing it lawfully.

Key guidelines include:

  • Purpose limitation: Emails must only be retained for as long as necessary to fulfill the original purpose for which they were collected.
  • Data minimization: Retain only the data necessary for processing purposes, avoiding excessive storage of emails.
  • Storage limitation: Organizations should define and document retention periods for different types of emails. Once the retention period expires, emails must be securely deleted unless required for legal or regulatory reasons.
  • Lawful basis: Emails must have a lawful basis for processing, such as consent, contractual necessity, legal obligations, or legitimate interests.
  • Right to erasure: Individuals have the right to request the deletion of their personal data, including emails, unless legal obligations prevent it.
  • Security measures: Emails containing personal data must be protected through encryption, access controls, and secure deletion methods to prevent unauthorized access.
  • Data breach notification: If emails with personal data are compromised, organizations must notify authorities and affected individuals within 72 hours.

What are the other regional laws/regulations across the globe?

List of data privacy laws across the globe similar to the GDPR :

  • Australia – Privacy Amendment (Notifiable Data Breaches) Act
  • Brazil – Lei Geral de Proteção de Dados (LGPD)
  • Canada – Digital Charter Implementation Act (Consumer Privacy Protection Act)
  • Chile – Data Protection Bill (Ley 19,628)
  • China – Personal Information Protection Law (PIPL)
  • Egypt – Personal Data Protection Law No. 151
  • India – Personal Data Protection Bill (PDPB)
  • Israel – Protection of Privacy Law & Data Security Regulations
  • Japan – Act on Protection of Personal Information (APPI)
  • New Zealand – Privacy Act 2020
  • Nigeria – Nigeria Data Protection Regulation (NDPR)
  • South Africa – Protection of Personal Information Act (POPIA)
  • South Korea – Personal Information Protection Act (PIPA)
  • Switzerland – Data Protection Act (revDSG)
  • Thailand – Personal Data Protection Act (PDPA)
  • Turkey – Law on Personal Data Protection (KVKK)
  • United States (California) – California Consumer Privacy Act (CCPA)

What are the other major compliance standards apart from GDPR?

  • SOC 2 – Service Organization Control
  • HIPAA – Health Insurance Portability and Accountability Act
  • ISO 27001 – International Standard on requirements for information security management
  • PCI DSS – Payment Card Industry Data Security Standard
  • ISO 27017
  • CCPA – California Consumer Privacy Act
  • CIS – Center of Internet Security
  • NIST – Special publication 800-53
  • NISTCSF – NIST Cybersecurity framework