What is GDPR?
GDPR(General Data Protection Regulation)is a regulation in EU union to protect personal data and privacy of EU citizens which includes all transactions that occur within EU states.
Companies that collect data from EU citizens need to comply with GDPR which protects customer data. A data breach can happen anytime, information can get lost or stolen and viewed by the person who was never intended to see it. Under the terms of GDPR, the organization has to ensure that personal data are collected under strict rules, if not they need to face penalties for not doing so. It is also a challenge for companies because they need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address, and Social Security number.
Who is responsible within my company
Data controller, Data Processor, and Data Protection Officer(DPO) these are the roles that are responsible for GDPR compliance. The data controller needs to ensure how the personal data are processed and for what it is being processed.
The Data processor deals with the data as instructed by a controller for specific purposes and services offered. The GDPR holds processors liable for breaches or non-compliance. It's also possible to face consequences even when the fault is on your processing partner like a cloud provider. Every company needs to have a DPO if they store a large amount of EU citizen's data. DPO is responsible to oversee data security strategy and GDPR compliance.
What are the personal data protected under GDPR principles
Not every piece of information is considered to be personal data, and the GDPR offers a definition of what qualifies as personal data.
Definition (Article 4(1)):‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
If you're a controller or processor you have a different set of rules to process the special categorized data.
Special categories in personal data
These categories might require additional protection and not be collected without any good reason.
racial or ethnic origin,
religious or philosophical beliefs,
trade union membership,
genetic data, biometric data(facial recognization, fingerprints, etc)
sex life and sexual orientation.