What is the GDPR?
What you need to know for GDPR
In 2016, the European Union (“EU”) enacted the General Data Protection Regulation (“GDPR”), a far-ranging piece of legislation that regulates how organisations collect, store, and process the personal data of EU individuals. The goal of the GDPR is to strengthen data protection, simplify international business regulations, and return control of private information to the average person.
GDPR stands for General Data Protection Regulation.
It is a law intended to strengthen electronic privacy for all individuals in the EU while creating uniform regulations for member countries
The GDPR protects the privacy of all individuals in the European Union (“EU”) by creating uniform regulations for member countries relating to the free movement of personal data. The GDPR applies to personal data created by citizens of the EU, but also puts new requirements on businesses globally that collect, store, and process the personal data of EU individuals, namely:
- Being able to quickly comply with erasure requests
- Making data more portable upon request
While the GDPR was adopted by the EU last year, EU Data Protection Authorities have stated that they won’t begin enforcing the regulation until May 25, 2018. As the leader in Cloud Identity, Okta has followed the development of this regulation closely, and developed this guide to outline the key points and offer solutions to help your organisation get ready for the GDPR.
What data is regulated by the GDPR?
Some of the personal data regulated by the GDPR is fairly obvious, such as email addresses and employee ID numbers. It isn’t all so straightforward, though. The GDPR also regulates information that could be traced back to a specific person, so it covers geolocation and behavioural data that can be traced back to an individual, as well. The law was written to be future-proof, so it doesn’t provide a finite list of personal data types. Generally speaking, any data that identifies a living EU individual counts as personal data. The GDPR goes further than past privacy regulations such as Safe Harbour and Privacy Shield by classifying an IP address as personal data, if it can be used with other data to identify an EU individual. This change in particular is a significant departure from previous privacy laws.
The history of the GDPR
The EU has been at the forefront of privacy law for a long time. In 1995, it adopted the Data Protection Directive, which broadly defined personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”