GDPR (General Data Protection Regulation)
Overview
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law that governs how organizations collect, process, and protect personal data of EU residents.
Key Principles
| Principle | Description |
|---|---|
| Lawfulness, Fairness, Transparency | Process data legally and openly |
| Purpose Limitation | Collect for specified, legitimate purposes |
| Data Minimization | Only collect necessary data |
| Accuracy | Keep data accurate and up-to-date |
| Storage Limitation | Don't keep data longer than needed |
| Integrity & Confidentiality | Ensure appropriate security |
| Accountability | Demonstrate compliance |
Data Subject Rights
Individuals have the right to:
- Access - Know what data is held about them
- Rectification - Correct inaccurate data
- Erasure - Request deletion ("right to be forgotten")
- Restrict Processing - Limit how data is used
- Data Portability - Receive data in portable format
- Object - Object to certain processing
- Automated Decisions - Not be subject to automated decision-making
Lawful Bases for Processing
You must have one of these legal grounds:
- Consent - Clear, affirmative agreement
- Contract - Necessary for contract performance
- Legal Obligation - Required by law
- Vital Interests - Protect someone's life
- Public Task - Official authority or public interest
- Legitimate Interests - Business needs (balanced against rights)
Key Requirements
Data Protection Officer (DPO)
Required when:
- Public authority or body
- Large-scale systematic monitoring
- Large-scale processing of sensitive data
Data Protection Impact Assessment (DPIA)
Required for high-risk processing:
- Systematic evaluation of individuals
- Large-scale sensitive data processing
- Systematic monitoring of public areas
Breach Notification
- To Authority - Within 72 hours of awareness
- To Individuals - Without undue delay (if high risk)
Records of Processing
Document:
- Purpose of processing
- Data categories
- Recipients
- Transfers outside EU
- Retention periods
- Security measures
Penalties
| Violation Level | Maximum Fine |
|---|---|
| Lower | €10M or 2% global turnover |
| Higher | €20M or 4% global turnover |
International Data Transfers
Data can leave the EU only with:
- Adequacy Decision - Country deemed adequate
- Standard Contractual Clauses (SCCs) - Approved contract terms
- Binding Corporate Rules - Intra-group transfers
- Specific Derogations - Explicit consent, contract necessity
Compliance Checklist
- [ ] Map all personal data processing
- [ ] Identify lawful basis for each process
- [ ] Update privacy notices
- [ ] Implement data subject rights procedures
- [ ] Review consent mechanisms
- [ ] Appoint DPO if required
- [ ] Implement security measures
- [ ] Establish breach response procedures
- [ ] Review international transfers
- [ ] Train staff on GDPR requirements