The General Data Protection Regulation (GDPR) is a European Union (EU) regulation which came into effect in 2018. The GDPR gives individuals greater rights over their personal data and imposes additional restrictions on the organizations that have access to it. The GDPR tells organizations how they are allowed to collect and use personal data, and how they must protect it.
GDPR timeline: The GDPR was released in May 2016 and the deadline for organizations to comply was May 25, 2018.
GDPR scope: The GDPR covers personal data, which is any information ‘concerning an identified or identifiable natural person’. This extends to a very wide range of information, including transactional documents; online identifiers such as IP addresses; and manual filing systems as well as databases. The regulation does not apply to data processing activities for law enforcement, national security purposes or purely for personal or household use.
What it replaced: The GDPR replaced the 1995 European Data Protection Directive (95/46/EC).
Purpose: The GDPR aims to provide a strong framework to protect personal data as a fundamental human right while enabling the free flow of data both within the EU and internationally in order to foster economic growth.
Who it affects: The GDPR applies to any organization processing the personal data of EU residents, regardless of whether the organization is located within the EU or outside.