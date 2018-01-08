Primary obligations under GDPR

GDPR applies to the processing of personal data of people in the EU by businesses operating in the EU. It’s important to note that GDPR doesn’t only apply to firms based in the EU—it applies to any organization providing a product or service to residents of the EU.

The new regulation applies to a wider selection of data than Directive 95/36/EC. Under GDPR, any data that could be used to identify an individual is protected (e.g., IP addresses, social media handles, and mobile device identifiers). There are also special provisions for biometric and genetic data. As with Directive 95/36/EC, pseudonymized data (i.e., data without direct reference to a named individual) is still in scope, though GDPR recognizes that the risks to individuals are reduced when data is pseudonymized.

Organizations defined as data processors also have obligations. Even if they process data only on behalf of a data controller, they are accountable for protecting that data, they must report breaches, and they can be fined if found to be noncompliant.

When a data controller becomes aware of a breach, it must notify its supervisory authority within 72 hours.

Every organization in scope must appoint a data protection officer, who acts as a data protection specialist and is responsible for ensuring compliance. Organizations must document what data they collect and process and why. They must not retain data that has no purpose for them.

It is critical for organizations to demonstrate that they have the consent of a data subject to process the subject’s data. Subjects must give their consent freely, and any written declarations must use plain language that can be understood easily. The subject can withdraw this consent at any time, and the company must be able to remove the subject’s data from all its systems. This rule is often referred to as the “right to be forgotten.” For children, data can be processed only with the consent of a parent or legal guardian. Data subjects are also entitled to make subject access requests to organizations that hold their data, for free.