GDPR (General Data Protection Regulation)

What Is GDPR?

The General Data Protection Regulation (GDPR) is a European Union regulation that came into force on 25 May 2018. It sets out rules for how organisations handle the personal data of individuals in the EU and European Economic Area (EEA). It applies to any organisation — regardless of where it's based — that processes personal data of EU/EEA residents.

Key GDPR Principles

1. Lawfulness, fairness, and transparency: You must have a legal basis to process data and be transparent about how you use it
2. Purpose limitation: Data collected for one purpose can't be repurposed without consent
3. Data minimisation: Collect only what you need
4. Accuracy: Keep personal data up to date
5. Storage limitation: Don't retain data longer than necessary
6. Integrity and confidentiality: Protect data with appropriate security measures
7. Accountability: Document your compliance — you must be able to demonstrate it

Individual Rights Under GDPR

Data subjects (individuals) have the right to:

• Access the data held about them
• Rectify inaccurate data
• Erasure ("right to be forgotten") in certain circumstances
• Data portability
• Object to processing
• Not be subject to solely automated decision-making

Penalties

GDPR fines come in two tiers:

• Up to €10 million or 2% of global annual turnover for less severe violations
• Up to €20 million or 4% of global annual turnover for more serious violations (e.g., lack of consent, breach of core principles)

GDPR for SMBs

If you sell to or collect data from EU residents, GDPR applies to you. Key practical steps:

1. Audit what personal data you collect and why
2. Publish a clear, GDPR-compliant privacy policy
3. Implement a process for handling data subject requests
4. Appoint a data protection contact (DPO if required)
5. Establish a 72-hour breach notification procedure to your supervisory authority