General data protection regulation (GDPR) is a strongest data privacy law established by the European Union (EU). With the introduction of GDPR, many companies around the world especially those organization that have presence in the EU have been obliged to rethink their data security and privacy approaches. Moreover, GDPR is a legislation that updated and unified data security and privacy laws and regulations across the entire EU. And it focuses on keeping businesses more transparent on the privacy rights of data subjects or users that organizations collect and handle their private data. Besides, it requires businesses to notify all affected subjects and concerned authorities within 72 hours when a serious data breach occurs.
The main purpose of the general data protection regulation (GDPR) is to protect EU citizens and the data that describes them and to enforce the businesses that collect the personal data to handle and maintain it in a responsible and safe manner. Furthermore, the GDPR strictly requires organizations to protect personally identifiable information (PII) against unauthorized or unlawful processing and accidental loss, destruction or damage. Additionally, the regulation requires organizations to define the reason for personal data collection and the data must be used only for the specific and legitimate purpose that companies defined in the data collection processes.
Under the general data protection regulation (GDPR), organizations can legally process personally identifiable information (PII) only if they meet at least one of the following conditions:
- Consent of the data subject
- Performance of a contract
- Legitimate interest of the data subject
- Vital interest of data subject
- Legal requirements and obligations
- Public interest enforced through governmental authority
Personally identifiable information (PII) may include one or more of the following:
- Person’s name
- Identification number (ID)
- Social security number (SSN)
- Driver’s license
- Location data
- Biometric data such as fingerprint, face scan, iris/retina scan, etc.
- Health information of an individual
- Racial or ethnic information of an individual
- Religious beliefs
- Political opinions
- Home address of an individual
There are seven (7) principles of general data protection regulation (GDRP), which are listed below:
- Lawfulness, fairness and transparency: Organizations must ensure their data collection processes do not break the law and requires companies to clearly specify and inform the data subject about how their data will be used
- Purpose limitation: Personal data can be collected only for specific reasons
- Data minimization: The collected personal data will not be retained longer than required
- Accuracy: The GDPR requires the organizations collecting personal data to ensure accuracy and should update it when necessary. And the data must be deleted and changed at the request of the data subject.
- Storage limitation: This requires organizations to delete personal data when it is no longer needed.
- Integrity and confidentiality: The GDPR requires organizations to take appropriate security protection measures against theft, data breach and unauthorized use.
- Accountability: Data collectors are responsible for ensuring compliance with the GDPR
The general data protection regulation (GDPR) enables data subjects to have the following rights:
- Right to be forgotten
- Right to be informed
- Right of access
- Right to object
- Right to rectification
- Right of portability
- Right to restrict processing