GDPR
The General Data Protection Regulation is the European Union’s data protection law. It governs how personal data of individuals in the EU is collected, processed, transferred, and stored, with extraterritorial reach to any organisation that processes that data.
GDPR has been in force since 25 May 2018, and supervisory authorities have issued more than €4 billion in cumulative fines since enforcement began. For an SME, the day-to-day reality is the documentation set: Records of Processing Activities, Data Processing Agreements with every sub-processor, Data Protection Impact Assessments for high-risk processing, and a defensible position on international transfers. The Article 30 small-organisation exemption is narrower than it appears and almost never applies in practice.
Definitions
GDPR
The General Data Protection Regulation is the European Union’s data protection law, in force since 25 May 2018. Article 3 sets its extraterritorial reach: it applies to processing in the context of an EU establishment, and to any non-EU controller or processor that offers goods or services to people in the EU or monitors their behaviour within the EU.
Records of Processing Activities (ROPA)
A Record of Processing Activities is the written inventory of personal data processing operations required by Article 30 of the GDPR. Controllers and processors must maintain one, make it available to the supervisory authority on request, and keep it current.
Data Processing Agreement (DPA)
A Data Processing Agreement is the contract required by GDPR Article 28 whenever a controller engages a processor to process personal data on its behalf. It must set out the subject matter, duration, nature and purpose of processing, categories of data, controller obligations, and the processor’s commitments on security, confidentiality, sub-processors, and assistance.