EU General Data Protection Regulation (GDPR)

This information is intended to support you through your data protection and privacy journey, and should not be used as a substitute for legal advice.

What is the EU General Data Protection Regulation?

The GDPR introduces far-reaching obligations for companies that collect, use, or otherwise process personal information.

  • The GDPR is the EU's reform of its privacy framework. It will replace and harmonize the EU's long standing bundle of national data privacy laws.
  • The GDPR will introduce a single framework that is directly applicable in all EU Member States; however, a number of national customizations remain possible.
  • The GDPR contains the same six core data protection principles, but there are significant changes and additional requirements designed to protect EU citizens’ privacy. For example, the GDPR introduces certain enhanced rights for covered individuals, such as data portability rights.

To whom does the GDPR apply?

  • Companies established in the EU that process personal information;
  • Companies based outside the EU that: offer goods or services directly to individuals in the EU (regardless of whether payment is required), or monitor behavior of individuals in the EU (for instance, through customer profiling).

Enforcement begins on May 25, 2018

Supervisory authorities will have the power to levy fines of increasing levels of severity, up to EUR 20 million or 4% of a company's group global annual turnover of the past financial year for non-compliance.

What is Red Hat doing to prepare for GDPR?

Red Hat is taking a collaborative approach and involving key company stakeholders in the organization to get ready for GDPR. We have taken steps to conduct detailed data inventories and are implementing processes and making enhancements designed to comply with the various requirements of GDPR. For example, we have been working diligently on processes to address rights of data subjects, including how individuals may obtain their personal data, make corrections, and request erasure. Red Hat has also undertaken measures to employ data privacy impact assessment processes and privacy by design principles to enhance our product portfolio insofar as it relates to personal data handling. We realize the need for ongoing efforts to support the privacy and security of personal data entrusted to us, and we are committed to protecting such data in line with the requirements of GDPR and to meet or exceed the needs of our customers.

What can you do to prepare?

  • Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
  • Consider creating an updated inventory of personal data that you handle. This will help identify and classify data.
  • Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
  • Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.

What is a data controller and data processor?

  • The GDPR applies to both data “controllers” and data “processors” of EU personal data. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.
  • If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).

International data transfers

  • If your organization operates in more than one EU member state (i.e., you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
  • The Article 29 Working party has produced guidance on identifying a controller or processor's lead supervisory authority.
  • The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
  • Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the EU-U.S. and Swiss-U.S. Privacy Shields.

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.