Skip to content

GDPR

GDPR

General Data Protection Regulation

1. Overview: GDPR, the European Union’s strong personal-data-protection standard

    flowchart LR
    A["Fragmented privacy regulations"] -- "Shift to a global standard security framework" --> B["GDPR regulation"]
  

Definition: A unified regulation enacted to strengthen the protection of EU citizens’ personal data and to control the transfer of personal data into and out of the EU.

Characteristics: (Extraterritorial application) GDPR applies in full even to non-EU companies if they offer services targeting EU citizens. (Strong sanctions) Violations can incur fines of up to 4% of global annual revenue or €20 million, whichever is higher. (Broad rights) Legally guarantees data subjects comprehensive rights, including access, rectification, erasure, and portability.


2. GDPR’s core principles and data subject rights

A. The 7 principles of personal data processing

    flowchart TD
  ROOT["GDPR's 7 Principles"]
  P1["Lawfulness, fairness, transparency"]
  P2["Purpose limitation"]
  P3["Data minimization"]
  P4["Accuracy"]
  P5["Storage limitation"]
  P6["Integrity and confidentiality"]
  P7["Accountability"]

  ROOT --> P1
  ROOT --> P2
  ROOT --> P3
  ROOT --> P4
  ROOT --> P5
  ROOT --> P6
  ROOT --> P7

  style ROOT fill:#1E3A5F,color:#fff
  
PrincipleDetailsNotes
Lawfulness/fairnessProcessing must be transparent and based on a legal basisConsent, contract performance, etc.
Purpose limitationCollect only for specified, explicit, and legitimate purposesProhibited to use beyond the collection purpose
Data minimizationProcess only the minimum data necessary to achieve the purposeBurden of proof of necessity
AccountabilityEmphasizes the controller’s responsibility to demonstrate complianceAppoint a DPO, conduct a DPIA

B. Strengthened data subject rights and response mechanisms

    flowchart LR
    subgraph Rights["Core rights of the data subject"]
        R1["Right to erasure<br/>('right to be forgotten')"]
        R2["Right to portability"]
        R3["Right to restriction<br/>of processing"]
        R4["Right to object"]
    end

    subgraph Actions["Corporate response process"]
        A1["Appoint a DPO"]
        A2["Data Protection Impact<br/>Assessment (DPIA)"]
        A3["Data breach notification<br/>(within 72 hours)"]
    end

    Rights -.-> Actions
  
RightKey contentCorporate obligation
Right to erasureRight to request deletion once the purpose is fulfilled or consent is withdrawnDelete and destroy without undue delay
Data portabilityRight to request transfer of one’s data to another controllerProvide data in a machine-readable format
Breach notification dutyNotify the supervisory authority and data subjects of a personal-data leakReport within 72 hours

3. Corporate response strategies for GDPR compliance and their effects

CategoryKey response measureExpected effect / application
Organizational responseAppoint a DPO (Data Protection Officer)Preempt legal risk for companies operating in the EU
Technical responseApply pseudonymization and encryptionBalance data utilization and protection (Privacy by Design)
Administrative responseMaintain Records of Processing Activities (RoPA)Serves as evidence of transparency and accountability during regulatory investigations