GDPR is a European privacy and security law that requires any organization that handles personally identifiable data of EU citizens to comply with its regulations. European Union mandated all organizations to comply with GDPR beginning on May 25, 2018. The GDPR imposes hefty fines for those who violate its privacy and security standards. With more and more personal data stored in the cloud, the EU is signaling the world that personal data must be treated private and stored securely. The GDPR is not only applicable to large corporations but also abides by small and medium-sized enterprises (SMEs).

What is personal data and who are affected under the GDPR?

Personal data is defined as any information that can be used to identify an individual such as name, email, gender, ethnicity, religion, browser cookie, and location data including IP address and geolocation.

If your organization processes the personal data or offers goods and services to EU citizens, you are obligated to comply with GDPR even if you do not reside in the EU. Data processing refers to collecting, storing, manipulating, merging, and deleting the personal data of EU citizens.

The people who handle personal data (controllers) and third-party processors who process personal data on behalf of controllers are affected by the GDPR. The penalties for violating the GDPR are pretty steep, and it's either 20 million Euros or 4% of the organization's global revenue whichever is higher.

Personal data and public display

One of the biggest changes in how WHOIS data is shown to the user is affected by the GDPR. To be compliant with the GDPR, domain name registrars no longer display the contact's name and address to the public in an effort to protect consumers and brands. Another example of how Google complies with the GDPR is they restrict publishing contents that display personal data on public pages without restriction.

Accountability

To be compliant with the GDPR, your organization must be able to demonstrate its compliance. Anyone who handles personal data must be trained and follow a written policy to treat data as private and access securely as if it's your own data. The following are some provisions that are required to be followed:

• You're required to maintain written policy for why personal data is collected, stored, and how it is used.
• You must demonstrate how you protect the data, and who owns the responsibility for security. If stored in the cloud storage, the data must be encrypted end-to-end and protected against data breaches.
• You must train your staff to follow strict security guidelines for accessing personal data. An example of protected access may include two-factor authentication (2FA).
• In the event the data protection is delegated to a third-party, the data processing agreement must be signed between the parties.
• If you discover data breaches, you must notify respected parties and consumers within 72 hours. By notifying consumers of data breaches, they have the right to know their data has been hacked and give them an opportunity to protect other data by changing the password and enabling 2FA.
• You must obtain consent to collect and store personal data. As a data subject (person who uses the Internet), you have the right to grant, revoke or restrict access to private data.