GDPR & Privacy Terms Archives

GDPR is the European Union’s General Data Protection Regulation (GDPR). The law gives data subjects rights over their personal data and establishes obligations for any organization around the world that is processing the data of an EU data subject, making the applicability of the law follow data rather than following a data subject or physical location.

GDPR requires all data controllers and data processors that handle personal data of data subjects to apply appropriate security and organizational measures in order to safeguard the confidentiality, integrity, and availability of processing services. GDPR was enacted in 2016 and became enforceable on May 25, 2018.

Because GDPR uses informal descriptions for the term “data subject,” the public has been left with varying interpretations and significant challenges. We generally see five definitions proposed for data subjects: a person located in the EU, a resident of the EU, a citizen of the EU, an EU resident/citizen physically located anywhere in the world, or a person whose personal data is processed within the EU, regardless of that person’s location. Organizations should closely monitor regulatory and legal developments related to the definition of “data subject.”

An individual that has expert knowledge of data protection laws, coordinates with data subjects and supervisory authorities, participates data protection impact assessments, and monitors GDPR compliance.

Article 28(3) of GDPR requires that controllers, processors, and sub-processors must enter into written contracts, or data processing agreements, in order to share personal data. DPAs create liability limitations and establish roles and responsibilities for controllers, processors, and sub-processors.

The natural or legal entity that regulates the purpose and means of processing personal data. The greater the decision-making authority an organization has regarding what personal data to obtain from data subjects and how to use that personal data, the more likely it is that an organization takes on the responsibilities of a data controller.