General Data Protection Regulation (GDPR) FAQs
What is the GDPR and when did it take effect?
The GDPR, or the General Data Protection Regulation, is designed to protect the privacy of EU citizens; enforce standardized data privacy laws across the EU; and reshape the way organizations in the EU and beyond process and manage personal data. The GDPR replaces the EU Data Protection Directive of 1995 and went into effect in May 2018.
Does GDPR apply only to companies in the EU?
No; any organization that collects or processes personal data of individuals in the EU or that offers goods or services to individuals in the EU is subject to the GDPR.
Is the GDPR specific to a certain industry? Does it apply to cloud or on-premises data storage?
The GDPR is not industry-specific and applies to both cloud and on-premises data processing and storage practices.
What are some of the key terms of GDPR, and how do these apply to organizations?
- Personal data: Any data related to an identified or identifiable person. This includes identifiers such as name, an identification number, location data, an online identifier, or any factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Controller: A person, entity or public authority that determines the purposes and methods of processing personal data.
- Data subject: A person whose personal data is processed by or on behalf of a controller.
- Processor: A person, entity or public authority that processes personal data on behalf of a controller.
What are the main requirements of the GDPR?
GDPR requirements can be traced back to seven principles of processing outlined in the regulation. These principles all seek to protect the privacy of individuals in the EU:
- Lawfulness, fairness and transparency: Organizations must conduct data processing in a lawful, fair and transparent manner.
- Purpose Limitation: Organizations may process data only for the purpose for which it was collected and communicated to a data subject.
- Data Minimization: In processing, the minimal amount of data should be collected to achieve the stated objectives.
- Data Accuracy: Collected data should remain accurate for as long as it’s with the controller, and inaccurate data should either be removed or rectified.
- Storage Limitation: Organizations should store data for only as long as necessary.
- Integrity and Confidentiality: Processing should be done in a manner that appropriately protects the data using technical and organizational safeguards and preventing unauthorized or accidental disclosure or damage.
- Accountability: The controller maintains primary responsibility for ensuring these principles are met, including when they are delegated to a processor
What’s the impact of noncompliance with GDPR?
Organizations that don’t take appropriate steps to protect personal data under the GDPR may face fines of up to 20 million Euros, or 4% of their total worldwide annual turnover. These fines are in addition to any compensation they may owe to individuals. Other potential impacts could include suspension or limitation on data flows, public reprimand and reputational damage.
Are there specific technologies, processes or systems dictated by the GDPR?
No. While establishing an extensive set of standards and requirements, the GDPR does not specify certain technologies, processes or systems. Companies can choose the technical and organizational measures they use to comply with the regulation.
How can Hyland help you meet your GDPR compliance objectives?
Organizations can use the OnBase enterprise information platform to create solutions that support their GDPR compliance initiatives. A variety of out-of-the-box functionality, flexible configuration options and built-in security controls offer the agility needed to help navigate the changing data privacy landscape. Click here to learn more.