When it comes to discussing the GDPR’s standards, there are three categories to consider: key privacy principles, the privacy rights for persons located in the EU that come out of these principles, and the obligation on businesses to maintain policies and practices that realize and respect these rights.
The key principles of the GDPR, broadly stated, are consent, transparency, legality, and accessibility. Under these standards, businesses that collect or process personal information must concisely and plainly communicate what information they collect, how they collect and store it, how they use it, and why they do so. Consumers must give their informed consent to the “what, how, where, and why” of data collection and use. Under the GDPR, businesses must have a legal basis for their collection and use of personal information, and informed consent is the standard for establishing this legal basis.
The GDPR also uses these principles as the basis for a series of privacy rights for individuals. These rights go beyond general rights to privacy and ensure that individuals have rights to take certain actions when it comes to protecting their privacy and personal information. For example, the GDPR grants individuals a right to access the personal information they share with businesses as well as a right to revise this information. The GDPR enumerates these rights and obligates businesses to provide individuals with the appropriate mechanisms and safeguards to realize their rights.