GDPR
GDPR
General Data Protection Regulation
1. Overview: GDPR, the European Union’s strong personal-data-protection standard
flowchart LR
A["Fragmented privacy regulations"] -- "Shift to a global standard security framework" --> B["GDPR regulation"]
Definition: A unified regulation enacted to strengthen the protection of EU citizens’ personal data and to control the transfer of personal data into and out of the EU.
Characteristics: (Extraterritorial application) GDPR applies in full even to non-EU companies if they offer services targeting EU citizens. (Strong sanctions) Violations can incur fines of up to 4% of global annual revenue or €20 million, whichever is higher. (Broad rights) Legally guarantees data subjects comprehensive rights, including access, rectification, erasure, and portability.
2. GDPR’s core principles and data subject rights
A. The 7 principles of personal data processing
flowchart TD
ROOT["GDPR's 7 Principles"]
P1["Lawfulness, fairness, transparency"]
P2["Purpose limitation"]
P3["Data minimization"]
P4["Accuracy"]
P5["Storage limitation"]
P6["Integrity and confidentiality"]
P7["Accountability"]
ROOT --> P1
ROOT --> P2
ROOT --> P3
ROOT --> P4
ROOT --> P5
ROOT --> P6
ROOT --> P7
style ROOT fill:#1E3A5F,color:#fff
| Principle | Details | Notes |
|---|---|---|
| Lawfulness/fairness | Processing must be transparent and based on a legal basis | Consent, contract performance, etc. |
| Purpose limitation | Collect only for specified, explicit, and legitimate purposes | Prohibited to use beyond the collection purpose |
| Data minimization | Process only the minimum data necessary to achieve the purpose | Burden of proof of necessity |
| Accountability | Emphasizes the controller’s responsibility to demonstrate compliance | Appoint a DPO, conduct a DPIA |
B. Strengthened data subject rights and response mechanisms
flowchart LR
subgraph Rights["Core rights of the data subject"]
R1["Right to erasure<br/>('right to be forgotten')"]
R2["Right to portability"]
R3["Right to restriction<br/>of processing"]
R4["Right to object"]
end
subgraph Actions["Corporate response process"]
A1["Appoint a DPO"]
A2["Data Protection Impact<br/>Assessment (DPIA)"]
A3["Data breach notification<br/>(within 72 hours)"]
end
Rights -.-> Actions
| Right | Key content | Corporate obligation |
|---|---|---|
| Right to erasure | Right to request deletion once the purpose is fulfilled or consent is withdrawn | Delete and destroy without undue delay |
| Data portability | Right to request transfer of one’s data to another controller | Provide data in a machine-readable format |
| Breach notification duty | Notify the supervisory authority and data subjects of a personal-data leak | Report within 72 hours |
3. Corporate response strategies for GDPR compliance and their effects
| Category | Key response measure | Expected effect / application |
|---|---|---|
| Organizational response | Appoint a DPO (Data Protection Officer) | Preempt legal risk for companies operating in the EU |
| Technical response | Apply pseudonymization and encryption | Balance data utilization and protection (Privacy by Design) |
| Administrative response | Maintain Records of Processing Activities (RoPA) | Serves as evidence of transparency and accountability during regulatory investigations |