The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and applies to all organizations that offer goods and services to, or process personal data of, citizens or residents of the European Union. The GDPR requires organizations to adhere to the following seven principles of protection and accountability:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — Data must be processed for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — Only as much data as absolutely necessary for the purposes specified should be collected and processed.
- Accuracy — Personal data must be accurate and kept up to date.
- Storage limitation — Personally identifying data must be kept only for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
The GDPR defines personal data as "any information that relates to an individual who can be directly or indirectly identified." Examples include:
- Names and email addresses,
- Location information,
- Biometric data,
- Religious beliefs,
- Web cookies,
- Political opinions, and
- Pseudonymous data (if it’s relatively easy to identify someone from it).