The General Data Protection Regulation (GDPR) is a set of rules for the collection and processing of personal data for EU citizens, allowing them more control over their information.
Personal data must be: Processed lawfully and fairly, accurate and up to date, relevant and limited to what is necessary, Held only for the absolute time necessary, collected only for specified purposes, and secure.
The maximum fine is 4% of annual global turnover, or €20 million, whichever is greatest. GDPR regulators may issue warnings, carry out audits or demand you erase data.
You’ll have to comply with the GDPR regardless of your size, if you process personal data.
The GDPR applies to processing carried out by organisations operating within the EU, as well as those outside the EU that offer goods or services to individuals in the EU.
Controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. After the data has been used for its purpose, it should be deleted.
Silence and opt-outs are no longer accepted. The individual has to express explicit opt-in consent for their data to be processed.
Where personal data is processed for direct marketing, the individual’s right to object should clearly be brought to their attention.