The General Data Protection Regulation (GDPR for short) is Europe’s big new data privacy law. It comes into effect on 25th May 2018 and is the most significant piece of European data protection legislation to be introduced in over 20 years.
GDPR sets out new rules for how all European residents’ data must be handled and replaces the 1995 EU Data Protection Directive.
GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU.
GDPR compliance isn’t just for European companies.
GDPR applies to businesses of all sizes, regardless of whether you have 1 or 10,000 employees, and regardless of where you or your company is based.
If you offer products and services to customers located within Europe, then GDPR will apply to you.
The data that is protected under GDPR (as with the DPA) is data concerning individuals (not companies). However, the definition is wider under GDPR and “Personal Data” extends to any information pertaining to an individual, whether it relates to their private, professional or public life. It can be anything from a name, to a home address, photo, email address, bank account details, posts on social networking websites, medical information, a computer’s IP address and more. In other words, if in the course of running your business you collect and use any data about anyone that identifies them, this will be Personal Data and you are required to follow the law in the way it is handled, accessed, stored or transferred. The individual is called the Data Subject.
Here is a link to an overview of the GDPR by the ICO: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr.