What is GDPR?

The General Data Protection Regulation (GDPR) is Europe’s data protection law, designed to unify and improve the privacy of personal data across Europe. The GDPR intends to provide European Union (EU) residents with more visibility and control over the way their data is collected and processed.

The GDPR protects the personal data of data subjects from the EU, including citizens, visitors, and noncitizen residents, regardless of where their data is being held or processed — and penalties for non-compliance can be substantial.

In the age of big data analytics, cloud computing and mobile access, organizations can struggle to keep track of all their data sources. Data is increasingly accessible — and in increasingly complex combinations. Due to this, figuring out every place you hold the personal information of even a single EU data subject is an enormous challenge — and with hundreds or thousands of customers, a vastly bigger one.

The GDPR has defined six important principles on how personal data should be processed. It mandates that personal data shall be:

  • Processed lawfully, fairly, and in a transparent manner (Lawful, fair, and transparent).
  • Collected only for specified, explicit, and legitimate purposes. Data should not be further processed in a manner that conflicts with these initial purposes (Purpose limitation).
  • Adequate, relevant, and limited to what is necessary (Data minimization).
  • Accurate and, where necessary, kept up-to-date (Data accuracy).
  • Processed in a way that data subjects can’t be identified once their data has been used for its original purpose (Storage limitation).
  • Processed in a manner that ensures the security of personal data. This includes protection from accidental loss, destruction, or damage by implementing required technical and organizational measures (Data integrity and confidentiality)

The GDPR focuses on securing and ensuring the privacy of EU citizens' personal and sensitive personal data. Data, including personal data, is hard to control because it’s dynamic, distributed and in demand. As data grows, changes and multiplies, keeping track of it becomes more difficult. Your business can’t stop to reexamine and classify data every time a customer record is updated. (Learn more about how to accelerate your GDPR efforts.)

Why GDPR?

Once the GDPR is enforced, organizations could face a few different penalties for non-compliance depending on the infraction. Possible consequences include:

  • Suspending all data processing.
  • Paying a fine of up to four percent of their annual worldwide turnover or 20 million euros—whichever is higher.
  • Other sanctions include warnings, reprimands, and corrective orders.

GDPR conformance is a challenge for many enterprises, even ones with no current EU-resident customers or employees. Companies around the world will be affected if they hire employees with EU citizenship (including dual citizenship) — or if they ever develop customer or business-partner relationships involving EU citizens or residents.

Who does the GDPR apply to?

The GDPR applies to all businesses that:

  • Operate in the EU.
  • Process the personal data of EU residents (regardless of location).
  • Provide goods or services to people in the EU (regardless of where processing takes place).

Whether your data is on-premises or stored in the cloud and wherever you are on the road to GDPR readiness, there are steps you can take to help your enterprise find GDPR personal data, uncover risk and take action and we are here to help you