GDPR compliance is adhering to the European Union's General Data Protection Regulation to protect the personal data and privacy of individuals in the EU. Key requirements include obtaining consent, ensuring data accuracy and security, and limiting data processing to specific, legitimate purposes. Compliance also involves providing individuals with rights over their data and establishing procedures for data breaches.
Core principles
Lawfulness, fairness, and transparency: Be clear with individuals about how their data is being used and have a legal basis for processing it.
Purpose limitation: Collect data for specified, explicit, and legitimate purposes and do not reuse it for incompatible ones.
Data minimization: Collect only the data that is adequate, relevant, and necessary for the purpose.
Accuracy: Keep personal data accurate and up-to-date.
Storage limitation: Keep data only as long as necessary for the purpose.
Integrity and confidentiality: Protect the data from unauthorized access, loss, or damage through appropriate security measures.
Accountability: Be able to demonstrate compliance with all the principles through documented policies and procedures.
Key requirements and actions
Consent: Obtain explicit, informed consent for data collection and processing, and make it easy for individuals to withdraw consent.
Data subject rights: Provide individuals with rights to access, correct, erase (right to be forgotten), and restrict the processing of their personal data.
Security measures: Implement a combination of technical and organizational controls to protect data, such as encryption, security software, and employee training.
Data Protection Impact Assessment (DPIA): Conduct a DPIA for processing activities that are likely to result in a high risk to individuals' rights and freedoms.
Breach notification: Notify relevant supervisory authorities and affected individuals of a data breach within 72 hours of becoming aware of it.
Data protection by design and by default: Build data privacy and protection into systems and processes from the outset, and ensure the most private settings are the default.
