Extract from Zapproved’s article “The Ultimate Guide to the GDPR and Ediscovery”
What Is the GDPR?
The EU General Data Protection Regulation, or GDPR, established “rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data” to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” Before the GDPR, European countries had a hodgepodge of data privacy regulations. The EU enacted the GDPR in 2018 to harmonize and standardize these various laws, creating a single data privacy rule for all the participating nations.
In short, the GDPR provides several broad protections for the personal data of European residents, including the right to access one’s data and the right to have one’s data erased. It requires that companies justify their possession of personal data and carefully control what they do with it. What exactly does this mean you might be wondering? Here’s some clarification on a few details that are commonly misunderstood when it comes to the GDPR.
First, while the GDPR is loosely referred to as an EU regulation — which it is — it is not limited to the EU in two distinct senses. For one, the GDPR has been adopted by and applies to not only the 28 member nations of the EU but also Iceland, Norway and Liechtenstein, as part of the European Economic Area (EEA). Note that, for now at least, this means that residents of the U.K. will also be covered under the GDPR even after departing the EU, unless and until the U.K. gives notice that it is leaving the EEA. Switzerland, on the other hand, is in neither the EU nor the EEA. Additionally, as already mentioned, the GDPR is broader than the EU in that it applies to businesses anywhere that possess or process the personal data of residents of the participating nations. We’ll discuss what this means more in the next section.