General data protection regulation (GDPR)

From LINKS Community Center
Jump to: navigation, search

Quick Facts

Publishing Organisation:
European Parliament and EU Council
Danish, English, German, Italian, Hungarian & all EU languages
Covers Thematic
  • Legal/Standards Legal Requirement means any federal, state, local, municipal, foreign or other law, statute, constitute, principle of common law, resolution, ordinance, code, edict, decree, rule, regulation, ruling or requirement issued, enacted, adopted, promulgated, implemented or otherwise put into effect by or under the authority of any Governmental Body. </br></br>Source:</br></br>Standards are voluntary documents that set out specifications, procedures and guidelines that aim to ensure products, services, and systems are safe, consistent, and reliable. They cover a variety of subjects, including consumer products and services, the environment, construction, energy and water utilities, and more.</br></br>Source:
  • Target audience
    Audience experience level
  • Intermediate Those who currently use social media to communicate with the public and have developed a draft social media strategy, even if this is not thoroughly documented or communicated across the organisation</br></br>Source:
  • Disaster Management Phase
  • Before Comprises 'Preparedness Phase' and 'Prevention Phase'</br></br>Preparedness action is carried out within the context of disaster risk management and aims to build the capacities needed to efficiently manage all types of emergencies and achieve orderly transitions from response to sustained recovery.</br></br>Source:</br></br>Prevention (i.e., disaster prevention) expresses the concept and intention to completely avoid potential adverse impacts of hazardous events.</br></br>Source:
  • During Also referred to as "Response Phase"</br></br>Actions taken directly before, during or immediately after a disaster in order to save lives, reduce health impacts, ensure public safety and meet the basic subsistence needs of the people affected.</br></br>Annotation: Disaster response is predominantly focused on immediate and short-term needs and is sometimes called disaster relief. Effective, efficient and timely response relies on disaster risk-informed preparedness measures, including the development of the response capacities of individuals, communities, organizations, countries and the international community.</br></br>Source:
  • After Also referred to as 'Recovery Phase'</br></br>The restoring or improving of livelihoods and health, as well as economic, physical, social, cultural and environmental assets, systems and activities, of a disaster-affected community or society, aligning with the principles of sustainable development and “build back better”, to avoid or reduce future disaster risk.</br></br>Source:
  • Synopsis


    • The general data protection regulation (GDPR) protects individuals when their data is being processed by the private sector and most of the public sector.
    • The processing of data by the relevant authorities for law-enforcement purposes is subject to the data protection law enforcement directive (LED) instead.
    • It allows individuals to better control their personal data. It also modernises and unifies rules, allowing businesses to reduce red tape and to benefit from greater consumer trust.
    • It establishes a system of completely independent supervisory authorities in charge of monitoring and enforcing compliance.


    Individuals’ rights

    The GDPR strengthens existing rights, provides for new rights and gives individuals more control over their personal data. It includes the following.

    • Easier access to an individual's own data.
      • This includes providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way.
    • A new right to data portability.
      • This makes it easier to transmit personal data between service providers.
    • A clearer right to erasure (right to be forgotten).
      • When an individual no longer wants their data to be processed and there is no legitimate reason to keep it, the data will be deleted.
    • The right to know when their personal data has been breached.
      • Companies and organisations have to notify the relevant data protection supervisory authority and, in cases of serious data breaches, also the individuals affected.

    Rules for businesses

    The GDPR creates a level playing field for all companies operating in the EU internal market, adopts a technology-neutral approach and stimulates innovation through a number of steps, which include the following.

    • A single set of EU-wide rules.
      • A single EU-wide law for data protection increases legal certainty and reduces administrative burden.
    • A data protection officer.
      • A person responsible for data protection has to be designated by public authorities and by businesses that process data on a large scale, or whose core activity is the processing of special categories of data, such as health-related data.
    • One-stop shop.
      • Businesses only have to deal with one single supervisory authority (in the EU Member State in which they have their main establishment); the relevant supervisory authorities cooperate in the framework of the European Data Protection Board for cross-border cases.
    • EU rules for non-EU companies.
      • Companies based outside the EU must apply the same rules when offering services or goods to, or when monitoring the behaviours of, individuals within the EU.
    • Innovation-friendly rules.
      • A guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default).
    • Privacy-friendly techniques.
      • Pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it), for example, are encouraged, in order to limit the intrusiveness of processing.
    • Removal of notifications.
      • The GDPR scrapped most notification obligations and the costs associated with these.
        • One of its aims is to remove obstacles that affect the free flow of personal data within the EU.
        • This will make it easier for businesses to expand in the single digital market.
    • Data protection impact assessments.
      • Organisations will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals.
    • Record keeping.
      • Small and medium-sized enterprises are not required to keep records of processing activities – unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed, or includes sensitive categories of data.
    • A modern toolbox for international data transfers.
      • The GDPR offers various instruments to transfer data outside the EU, including adequacy decisions adopted by the European Commission where the non-EU country offers an adequate level of protection, pre-approved (standard) contractual clauses, binding corporate rules, codes of conduct and certification.

    Linked to

    The General Data Protection Regulation (GDPR) is a privacy and security law drafted and passed by the European Union (EU). It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.