General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a regulation in European Union law that governs data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA).

It is designed to protect personal data and ensure that individuals have control over how their data is collected, processed, and stored.

Although GDPR is an EU regulation, its scope is global in practice. It applies not only to organizations within the EU, but also to organizations outside the EU that process the personal data of individuals residing in EU countries.

For example:

  • GDPR does not apply to American citizens living outside the EU
  • However, it does apply to American companies that collect or process data of individuals in the EU

Because GDPR is a regulation and not a directive, it is directly enforceable in all EU member states without requiring local implementation laws.

Key Requirements of GDPR

Organizations that handle personal data of EU residents must comply with strict requirements.

These include:

  • Protecting personal data and privacy in all processing activities
  • Ensuring compliance from May 25th, 2018 onward
  • Reporting data breaches within 72 hours of becoming aware of them

GDPR also provides strong rights to individuals (data subjects), including:

  • The right to withdraw consent at any time
  • The right to access their personal data
  • The right to correct inaccurate data
  • The right to erase data (right to be forgotten)

Failure to comply with GDPR can result in severe penalties:

  • Fines up to €20 million
  • Or up to 4% of global annual turnover, whichever is higher

GDPR Roles

GDPR defines three main roles involved in data processing.

  • Data Subject
  • Data Controller
  • Data Processor

Data Subject

A data subject is a natural person whose personal data is being processed.

Key points:

  • Must be a human individual, not a company
  • Typically refers to the end-user
  • Resides within the EU or EEA

Data Controller

A data controller is the entity that determines the purpose and means of processing personal data.

Key responsibilities:

  • Decides why and how data is processed
  • Is primarily responsible for protecting data subjects
  • Must ensure compliance with GDPR principles

The regulation is mainly focused on holding controllers accountable for protecting personal data.

Data Processor

A data processor processes personal data on behalf of the data controller.

Key characteristics:

  • Does not decide the purpose of data processing
  • Acts only on instructions from the controller
  • Cannot change how the data is used

Controllers must ensure that processors comply with GDPR:

  • Choosing non-compliant processors may lead to penalties
  • Processors may need certifications to prove compliance

GDPR Data Protection Principles

GDPR defines six core principles that must be followed when handling personal data. The data controller is responsible for ensuring compliance and must be able to demonstrate it.

Lawfulness, Fairness, and Transparency

Personal data must be processed in a lawful, fair, and transparent manner.

This means:

  • Processing must have a valid legal basis
  • Individuals must be treated fairly
  • Organizations must clearly inform individuals about data usage

Transparency requires that individuals are informed:

  • Before data collection
  • Whenever changes in processing occur

Purpose Limitation

Personal data must be collected for specific, explicit, and legitimate purposes.

It must not be used for purposes that are incompatible with the original intent unless additional consent is obtained.

Key points:

  • Clearly define purpose at collection time
  • Do not reuse data for unrelated purposes
  • Obtain consent for any new purpose

Data Minimization

Only the minimum amount of data necessary should be collected and processed.

Key points:

  • Data must be adequate and relevant
  • Avoid collecting excessive information
  • Limit data to what is strictly needed

Accuracy

Personal data must be accurate and kept up to date.

Organizations must:

  • Take reasonable steps to ensure accuracy
  • Correct or delete inaccurate data without delay

This ensures that decisions are not made based on incorrect information.

Storage Limitation

Personal data should not be stored longer than necessary.

Key points:

  • Retain data only for its intended purpose
  • Delete or anonymize data when no longer needed
  • Protect individuals from unnecessary long-term storage

Integrity and Confidentiality

Personal data must be processed securely to prevent unauthorized access, loss, or damage.

This includes:

  • Protecting against unauthorized or unlawful processing
  • Preventing accidental loss or destruction
  • Implementing appropriate technical and organizational controls

Organizations must:

  • Assess risks related to data processing
  • Apply suitable security measures
  • Regularly review and update these controls

Summary

GDPR is a comprehensive regulation that protects personal data and privacy of individuals within the EU and EEA. It applies globally to any organization handling EU personal data.

It defines strict requirements, strong individual rights, and significant penalties for non-compliance.

The regulation introduces clear roles such as data subject, data controller, and data processor, and enforces six core principles that govern how personal data must be handled.

Overall, GDPR emphasizes accountability, transparency, and security, requiring organizations to actively protect personal data and demonstrate compliance at all times.