The General Data Protection Regulation (GDPR) is an internationally recognised compliance standard created to safeguard individuals' right to privacy, particularly with regard to personal data. It governs the processing of personal data within the European Union and prohibits companies operating both domestically and internationally from mishandling sensitive data belonging to EU residents.
The GDPR came into force on April 14, 2016, and was ratified as legislation by the European Parliament on May 25, 2018. Under GDPR, businesses must notify the relevant supervisory authority and any affected individuals of significant data breaches within 72 hours of becoming aware. The regulation also defines the legitimate grounds for collecting personal data; once information has been gathered for a specific legitimate purpose, it cannot be used for any other purpose.
The GDPR is a set of data privacy and security guidelines jointly adopted by the European Commission, the European Parliament, and the Council of Ministers of the European Union. Its aim is to ensure improved and harmonised data protection for individuals within the EU.
The GDPR makes significant provisions regarding the personal data of EU citizens and residents, including their right to ask data controllers and processors to delete, amend, or transfer their data. It substantially updates its predecessor, the Data Protection Directive 95/46/EC. The overarching goal is to give individuals greater control over their data while increasing transparency about how data is collected and used — updating data legislation to reflect our connected digital world.
Any entity — individual, company, or organisation — that collects or uses personal data from any person within the European Union is subject to GDPR. "Personal data" means any information that makes it possible to identify a specific individual. Any business with a website or application that collects data from EU users is required to comply.
GDPR applies regardless of where the organisation is based, since its purpose is to protect the data and privacy rights of all EU internet users wherever they go online or conduct transactions.
There are three parties affected by the GDPR:
1. Data Controllers — Public or private entities that initiate the collection of personal data from individuals. Data controllers are responsible for the information they collect and must follow GDPR guidelines to protect its integrity and privacy.
2. Data Processors — Typically engaged by data controllers to handle data processing tasks. Data processors are required to comply with GDPR, and it is their responsibility to ensure that any external organisations to whom they outsource processing operations also comply.
3. Data Subjects — The individuals whose data is collected and processed by controllers and processors. GDPR gives data subjects the right to control how organisations use their personal information.
For specifics on how 84000 implements GDPR compliance, including our role as a data controller and the data processors we work with, please consult our Digital Processing Agreement.
This guide draws on an introductory overview by Akitra.
