The full GDPR text (Regulation (EU) 2016/679), available in multiple languages, can be accessed on the European Commission's website. Follow the link below to be redirected.
Countries outside of the EU that have been deemed to provide adequate levels of protection for the personal data rights stipulated by the GDPR are listed on the European Commission's website. Follow the link below to be redirected.
Anonymisation, and its cousin 'pseudonymisation', is the process of entirely (the former) or partly (the latter) removing personal identifiers from data. While the concept of anonymisation is fairly straightforward, pseudonymisation is not as clear cut: even if, for example, an external coding system is required for identification, the data is not truly anonymised. When reaching a retention limit or receiving a 'request for erasure', anonymisation is a compliant approach for retaining the non-personal elements of data while upholding your data subjects' rights.
'Data processing' is any operation performed on personal data, regardless of whether or not that operation is automated. Collection, recording/storage, organisation, alteration, dissemination (making available), restriction, and erasure/destruction of personal data is all considered processing. Consequently, as many of these operations are commonplace, the vast majority of businesses are liable for compliance with data privacy legislation. If the personal data being processed is that of EU/EEA individuals, the GDPR is where to begin.
The GDPR protects the rights of 'identifiable natural persons', also known as 'data subjects', who are within the European Union (EU). A 'natural person' is a living human being, as opposed to a 'legal person', which may be a private or public organisation. Identifiers of data subjects can exist in many formats, ranging from social security number and location data (physical or digital) to genetic or economic information, to name only a few. During compliance efforts, be sure to consider all data subjects: customers, colleagues, and staff alike.
Standard Contractual Clauses (SCCs) are regulated sets of terms that must be signed by sender and receiver prior to personal data being transferred to a third party operating outside of the General Data Protection Regulation's (GDPR) jurisdiction. Although there are some mechanisms in place for simplifying compliance when transferring personal data to third countries, such as the recently invalidated EU-US Privacy Shield, SCCs remain small- and medium-sized enterprises' best alternative for ensuring the compliance of extra-EU/EEA third parties.
Further information can be found on the European Commission's website here.