GDPR
Overview
The General Data Protection Regulation (GDPR) is a comprehensive data privacy and security law passed by the European Union. Adopted in 2016 and effective since May 25, 2018, it governs how personal data of EU citizens is collected, processed, stored, and transferred.
GDPR applies to any organization worldwide that processes personal data of EU residents, making it the most impactful privacy regulation globally. It has inspired similar laws in California (CCPA), Brazil (LGPD), and other jurisdictions.
Key Principles
| Principle | Description |
|---|---|
| Lawfulness, fairness, transparency | Processing must have a legal basis; data subjects must be informed |
| Purpose limitation | Data collected for specified, explicit, legitimate purposes only |
| Data minimization | Only data adequate, relevant, and necessary for the purpose |
| Accuracy | Personal data must be accurate and kept up to date |
| Storage limitation | Data retained only as long as necessary |
| Integrity and confidentiality | Appropriate security measures must be in place |
| Accountability | The controller is responsible for demonstrating compliance |
Legal Bases for Processing
- Consent — clear, affirmative, specific consent from the data subject
- Contract — processing necessary for a contract or pre-contractual measures
- Legal obligation — processing required by law
- Vital interests — protecting someone’s life
- Public task — exercising official authority
- Legitimate interests — legitimate interests of the controller or third party
Data Subject Rights
- Right to access their data
- Right to rectification of inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to restrict processing
- Right to portability — receive data in a machine-readable format
- Right to object to processing
- Rights related to automated decision-making and profiling
Penalties
- Up to €20 million or 4% of global annual turnover (whichever is higher) for serious violations
- Up to €10 million or 2% of global annual turnover for lesser violations
Key Roles
- Data Controller — determines the purposes and means of processing
- Data Processor — processes data on behalf of the controller
- Data Protection Officer (DPO) — required for public authorities and organizations conducting large-scale systematic monitoring or processing of sensitive data
Relationship to Other Frameworks
- SOC 2 Privacy criterion — SOC 2 helps demonstrate GDPR compliance
- NIST Privacy Framework — complements GDPR implementation
- technologies/security-frameworks/nist-csf.md | NIST Cybersecurity Framework — broader cybersecurity context
- technologies/security-frameworks/iso-27001.md | ISO 27001 — information security management supporting GDPR security requirements