eu-gdpr-factsheet--041017.pdf

The European Union General Data Protection Regulation (EU GDPR) applies to organisations that process personal data of individuals in the EU, including those established outside of the EU. Key requirements include:

• Processing is lawful if consent is given by the individual for specific purposes or it is necessary for a contract, legal obligation, vital interests, public interest, or legitimate interests.
• Individuals have rights to access and obtain a copy of their personal data, rectification of inaccurate data, erasure in certain circumstances, restriction of processing, data portability, objection to processing, and not be subject to automated decision-making.

Organisations must also:

• Implement data protection by design and default
• Carry out a data protection impact assessment in certain circumstances
• Designate a data protection officer in certain cases

Additionally, the EU GDPR requires organisations to:

• Notify the supervisory authority of a personal data breach within 72 hours if feasible
• Notify individuals of a high-risk personal data breach without undue delay
• Implement administrative fines up to €20 million or 4% of worldwide annual turnover for non-compliance.