The GDPR is the “General Data Protection Regulation”, which is the European Union’s new set of laws around data privacy and security. It includes hundreds of pages’ worth of new requirements for organizations around the world and it imposes restrictions on any organization, as long as they target or collect data related to people in the European Union.
Nevertheless, complying with the GDPR can be a very challenging task as the regulation is large, far-reaching and without many specifics. Complying with it requires a thorough understanding of the data protection principles it presents. Let us go over them (key definition are provided in brackets):
Data protection principles
- Lawfulness, fairness and transparency: Data processing (any action performed on data) must be lawful, fair and transparent to the data subject (person whose data is being processed)
- Purpose limitation: Data processing can only be done for the specific purpose mentioned explicitly to the data subject when the data was collected.
- Data minimization: You should only collect the data which is strictly needed for the purpose specified.
- Accuracy: Personal data (any information that relates to an individual who can be directly or indirectly identified) must be correct and kept updated.
- Storage limitation: Personally identifying data should only be stored for the time period required to carry out the specified purpose.
- Integrity and confidentiality: Processing must be done in a way that ensures security, integrity and confidentiality.
- Accountability: The data controller (the person who decides how and why personal data will be processed) is responsible for demonstrating GDPR compliance with all these principles -> main idea is that in order to be GDPR compliant you need to be able to show that you are GDPR compliant.
Source: https://gdpr.eu/what-is-gdpr/