General Data Protection Regulation (GDPR) takes effect May 25, 2018.

This repository is a high level collection of information regarding the GDPR and what information developers need to know.

Personal data defined as "any information relating to an identified or identifiable natural person". This can be a single piece of information or a collection combined to create a record. Examples of personal data are as follows:

• Name
• Home address
• Photo
• Email address
• Bank details
• Posts on social networking websites
• IP Addresses

Sensitive personal data is expanded on a person's personal data and requires stricter protections than regular personal data. The information regarded as sensitive personal data are as follows:

• Racial or ethnic origin
• Political opinions
• Religious or philisophical beliefs
• Trade union membership
• Health data
• Sex life or sexual orientation
• Past or spent criminal convictions
• Genetic data
• Biometric data (facial recognition or fingerprint logins)
• Location data
• Pseudonymised data
• Online identifiers

Companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).

People must have access to their own data and be able to transfer personal data from one service provider to another. The data must be provided in a structured, commonly used and machine-readable format.

A right to be forgotten will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.

Data Protection Impact Assessments (DPIA), is a required document pertaining to data-intensive projects. This document will outline questions which will need to be readily available to all individuals involved with the project. Data protection regulators may request the DPIA documents in the event of a data breach.

1. What personal data is processed?
2. How is that data collected and retained?
3. Is the data stored locally, on our servers, or both?
4. For how long is data stored, and when is the data deleted?
5. Is the data collection and processing specified, explicit, and legitimate?
6. What is the process for granting consent for the data processing, and is consent explicit and verifiable?
7. What is the bases of the consent for the data processing?
8. If not based on consent, what is the legal basis for the data processing?
9. Is the data minimized to what is explicitly required?
10. Is the data accurate and kept up to date?
11. How are users informed about the data processing?
12. What controls do users have over the data collection and retention?

1. Is the data encrypted?
2. Is the data anonymized or pseudonymised?
3. Is the data backed up?
4. What are the technical and security measures at the host location?

1. Who has access to the data?
2. What data protection training have those individuals received?
3. What security measures do those individuals work with?
4. What data breach notification and alert procedures are in place?
5. What procedures are in place for government requests?

1. How does the data subject exercise their access rights?
2. How does the data subject exercise their right to data portability?
3. How does the data subject exercise their rights to erasure and the right to be forgotten?
4. How does the data subject exercise their right to restrict and object?

1. Are the obligations of all data processors, including subcontractors, covered by a contract?
2. If the data is transferred outside the European Union, what are the protective measures and safeguards?

1. What are the risks to the data subjects if the data is misused, mis-accessed, or breached?
2. What are the risks to the data subjects if the data is modified?
3. What are the risks to the data subjects if the data is lost?
4. What are the main sources of risk?
5. What steps have been taken to mitigate those risks?

• Regulation (EU) 2016/679 of the European Parliament and of the Council
• EU Data Protection page