EU General Data Protection Regulation (GDPR)

This information is intended to support you through your data protection and privacy journey, and should not be used as a substitute for legal advice.

What is the EU General Data Protection Regulation?

The GDPR introduces far-reaching obligations for companies that collect, use, or otherwise process personal information.

  • The GDPR is the EU's reform of its privacy framework.
  • Currently, the EU's privacy framework consists of a bundle of national data privacy laws.
  • The GDPR will introduce a single framework that is directly applicable in all EU Member States; however, a large number of national customizations remain possible.
  • The GDPR contains the same six core data protection principles, but there are significant changes and additional requirements. For example, the GDPR introduces certain enhanced rights for covered individuals, such as data portability rights.

To whom does the GDPR apply?

  • Companies established in the EU that process personal information;
  • Companies based outside the EU that: offer goods or services directly to individuals in the EU (regardless of whether payment is required), or monitor behavior of individuals in the EU (for instance, through customer profiling).

Enforcement begins on May 25, 2018

Supervisory authorities will have the power to levy fines of increasing levels of severity, up to EUR 20 million or 4% of a company's group global annual turnover of the past financial year.

What's Red Hat doing to prepare for GDPR?

Red Hat is taking a collaborative approach and involving key company stakeholders in the organization to get ready for GDPR. We have taken steps to conduct detailed data inventories and are implementing processes and making enhancements designed to comply with the requirements of GDPR. We realize the need for ongoing efforts to support the privacy and security of personal data entrusted to us, and we are committed to protecting such data in line with the requirements of GDPR.

What can you do to prepare?

  • Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
  • Consider creating an updated inventory of personal data that you handle. This will help identify and classify data.
  • Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
  • Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.

What is a data controller?

  • The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.
  • If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).

International data transfers

  • If your organization operates in more than one EU member state (i.e., you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
  • The Article 29 Working party has produced guidance on identifying a controller or processor's lead supervisory authority.
  • The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
  • Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the EU-U.S. and Swiss-U.S. Privacy Shields.

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.