# GDPR

**What is the GDPR?**

The GDPR is the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679). It has applied since 25 May 2018 and governs how organisations may process personal data, including the duty to protect that data with appropriate technical measures.

Personal data means any information relating to an identifiable individual. Names, addresses, email addresses, photographs, salary records, health information and IP addresses, the identifiers under which a device is reachable on the internet, all qualify. Any business that employs staff or serves customers processes such data. The Regulation applies irrespective of company size, and the measures required are scaled to the risk of the processing concerned.

Two provisions matter most for security. Article 5 requires personal data to remain confidential and intact. Article 32 requires technical and organisational measures appropriate to the risk and expressly mentions encryption, the ability to restore access to data promptly after an incident, and a process for testing the effectiveness of those measures on a regular basis. Article 5(2) adds accountability, which means the business must be able to demonstrate that it meets these requirements.

Weaknesses tend to be visible in everyday practice. Every member of staff can open every folder on the server. Accounts belonging to people who left months ago remain active. Customer records sit unencrypted on private laptops and memory sticks. The backup runs each night and has never been restored as a test. Each of these observations raises a question under Article 32.

A practical first step is to establish the facts. Which personal data does the business process, in which systems is it held, who has access to it and which external providers are involved. Article 30 requires a record of processing activities, that is a written overview of all processing, in any event. With that record in hand, access rights, backups and encryption can be put in order in a deliberate sequence.

Article 83 provides for administrative fines of up to 20 million euros or 4 per cent of worldwide annual turnover, whichever is the higher. The IT-Check examines the technical side of these duties across eight areas and more than 100 checkpoints and records the position in a written report supplied within 14 working days. Legal assessment remains a matter for a qualified lawyer, and the report provides the technical basis for it.

## Related terms
- [Technical and organisational measures (TOMs)](https://vetosec.at/en/it-security/tom-dsgvo/)
- [Data breach notification duty](https://vetosec.at/en/it-security/meldepflicht-datenpanne/)
- [Data processing agreement (DPA)](https://vetosec.at/en/it-security/auftragsverarbeitung/)
- [Data breach](https://vetosec.at/en/it-security/datenleck/)

## Source
https://vetosec.at/en/it-security/dsgvo/ (vetosec, recht)
