As of May 25, the EU General Data Protection Regulation (GDPR) now applies directly in all EU member states and is enforceable. The GDPR provides EU residents with control over their personal data through a set of “data subject rights.” This includes the right to:
- Access information about how personal data is used
- Access personal data held by an organization
- Have incorrect personal data deleted or corrected
- Have personal data rectified and erased in certain circumstances (sometimes referred to as the "right to be forgotten")
- Restrict or object to automated processing of personal data
- Receive a copy of personal data
The GDPR imposes far-reaching obligations for companies in the EU that collect, use, or otherwise process personal information. Key requirements principles include:
- Transparency, fairness, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a "lawful basis" to process that data.
- Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not "compatible" with the purpose for which the data was originally collected.
- Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
- Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
- Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
- Ensuring security, integrity, and confidentiality of personal data. Your organization must take steps to keep personal data secure through technical and organizational security measures.