The General Data Protection Regulation (EU) 16/679 (GDPR) is a regulation of law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR’s primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects’ citizenship or residence—that is processing the personal information of individuals inside the EEA.
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data. Data controllers must design information systems with privacy in mind. The highest-possible privacy settings by default, so that the datasets are not publicly available by default and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of the six lawful bases specified by the regulation.