It stands for General Data Protection Regulation but it's really about people. It's about the rights and freedoms of people. It's about processing of personal data, and it's about movement of personal data.
Article 1 of the regulation lays down rules related to protection of natural persons with regard to the processing of their personal data, and rules relating to the free movement of personal data. It also protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.
It really is about what you do with the data, how you use the data, who has access to the data, and not necessarily the data itself. The focus of the regulation is how the data is used, how personal data is processed, how it moves across jurisdictions, and obviously doing all of that while protecting the rights of data subjects.
Some key terminology used in the regulation:
- Data subjects are residents in the EU. As long as you reside in the EU, you are covered by this regulation.
- Data controllers are the process owners. They have full control over what data is processed, what data is collected, what data is processed, how it is used, and how it is shared.
- The processor is an entity that can process personal data on behalf of the controller, on specific requests from the controller.
- The recipient can be another entity that has access to this personal data, that benefits from this personal data. Again, with the express agreement of controller and processor.
- A third party is any sort of entity that has access to personal data.
- The EU regulator, or in general the regulator, is the data protection authority. There is one in every EU country and there's also an overarching EU-wide entity that oversees all of the other national ones as well.
GDPR is a regulation as opposed to a directive, which means it's enforceable as law across the European Union. What came before it was a directive, the Data Protection Directive 1995, that had some elements which had to be adopted individually by each country. That led to a lot of inconsistencies in terms of data protection. With GDPR, the EU hopes to achieve consistency and see the same rules apply to everyone across the EU.