GDPR (General Data Protection Regulation)
European Union data protection and privacy regulation for personal data processing
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, governing the processing of personal data within the European Union.
Key Principles:
- Lawful Basis: Legal grounds for processing personal data
- Data Minimization: Collect only necessary data
- Purpose Limitation: Use data only for stated purposes
- Transparency: Clear information about data processing
- Individual Rights: Strong rights for data subjects
Territorial Scope:
- EU-based organizations processing personal data
- Non-EU organizations offering goods/services to EU residents
- Non-EU organizations monitoring EU residents' behavior
- Public authorities (with limited exceptions)
- Subsidiaries and branches of non-EU companies
Seven Data Protection Principles
| Principle | Description and Requirements |
|---|---|
| Lawfulness, Fairness, Transparency | Processing must have a legal basis, be fair to individuals, and transparent about how data is used.
|
| Purpose Limitation | Data must be collected for specified, explicit, and legitimate purposes.
|
| Data Minimization | Data must be adequate, relevant, and limited to what is necessary.
|
| Accuracy | Data must be accurate and kept up to date.
|
| Storage Limitation | Data must not be kept longer than necessary.
|
| Integrity and Confidentiality | Data must be processed securely with appropriate technical and organizational measures.
|
| Accountability | Controllers must demonstrate compliance with all principles.
|
Six Lawful Bases for Processing
- Consent: Clear, informed, and freely given agreement
- Contract: Processing necessary for contract performance
- Legal Obligation: Compliance with legal requirements
- Vital Interests: Protection of life or physical safety
- Public Task: Performance of official duties
- Legitimate Interests: Balancing test with individual rights
Special Categories: Sensitive data (health, race, religion, etc.) requires explicit consent or other specific conditions under Article 9.
Individual Rights
Eight Key Rights:
- Right to be Informed: Transparent processing information
- Right of Access: Copy of personal data and processing info
- Right to Rectification: Correction of inaccurate data
- Right to Erasure: "Right to be forgotten"
- Right to Restrict Processing: Limit how data is used
- Right to Data Portability: Move data between services
- Right to Object: Stop processing for specific purposes
- Rights Related to Automated Decision-making: Human review of automated decisions
Response Time: Organizations must respond to rights requests within one month.
Data Protection Impact Assessment (DPIA)
When DPIA is Required:
- Systematic Monitoring: Large-scale monitoring of public areas
- Special Category Data: Large-scale processing of sensitive data
- Profiling with Legal Effects: Automated decision-making with significant impact
- Innovative Technology: New technology with high privacy risk
- Vulnerable Groups: Processing data of children or employees
DPIA Content Requirements:
- Description: Systematic description of processing operations
- Purpose Assessment: Purposes and legitimate interests
- Necessity Assessment: Necessity and proportionality
- Risk Assessment: Risks to rights and freedoms
- Mitigation Measures: Safeguards and security measures
- Consultation: Data subject views (where appropriate)
High Risk: If DPIA shows high risk that cannot be mitigated, consult with supervisory authority before processing.
Breach Notification Requirements
Timeline:
- 72 Hours: Notify supervisory authority (unless low risk)
- Without Undue Delay: Notify affected individuals (if high risk)
Required Information:
- Nature of breach and categories affected
- Approximate number of individuals affected
- Consequences of the breach
- Measures taken or proposed
- Contact details of DPO
Risk Assessment:
- Low Risk: No notification to authority required
- Medium Risk: Notify authority only
- High Risk: Notify authority and individuals
Data Protection Officer (DPO)
When DPO Required:
- Public Authorities: Most public sector organizations
- Core Activities: Large-scale systematic monitoring
- Special Categories: Large-scale processing of sensitive data
DPO Responsibilities:
- Monitor GDPR compliance
- Conduct privacy impact assessments
- Train staff on data protection
- Act as contact point for supervisory authority
- Advise on data protection obligations
- Handle data subject inquiries
DPO Qualifications:
- Expert knowledge of data protection law
- Independence in role performance
- Sufficient resources to perform tasks
International Data Transfers
Adequacy Decisions
EU Commission determines third countries with adequate protection:
- Argentina
- Canada (commercial)
- Israel
- Japan
- New Zealand
- South Korea
- Switzerland
- UK
- Uruguay
Appropriate Safeguards
For transfers to non-adequate countries:
- Standard Contractual Clauses (SCCs): EU-approved contract terms
- Binding Corporate Rules (BCRs): Internal policies for multinational groups
- Certification Schemes: Approved certification programs
- Codes of Conduct: Industry-specific guidelines
Derogations
Limited exceptions for specific situations:
- Explicit consent
- Contract performance
- Important public interest
- Legal claims
- Vital interests
- Public register
Note: Derogations should be used sparingly and for occasional transfers.
GDPR Penalties and Enforcement
| Penalty Tier | Violations | Maximum Fine | Enforcement Actions |
|---|---|---|---|
| Lower Tier |
| €10 million or 2% of annual worldwide turnover |
|
| Upper Tier |
| €20 million or 4% of annual worldwide turnover |
Factors for Penalty Calculation: Nature and severity, intentional or negligent, cooperation with authorities, previous infringements, financial benefit gained.
GDPR Technical Implementation
Privacy by Design Implementation
Consent Management:
class GDPRConsent:
def __init__(self):
self.consent_types = [
'marketing', 'analytics', 'functional', 'necessary'
]
def record_consent(self, user_id, purposes, method='explicit'):
consent_record = {
'user_id': user_id,
'timestamp': datetime.utcnow(),
'purposes': purposes,
'method': method, # explicit, implied, etc.
'ip_address': self.get_user_ip(),
'user_agent': self.get_user_agent(),
'consent_string': self.generate_consent_string(purposes)
}
self.store_consent(consent_record)
return consent_record
def withdraw_consent(self, user_id, purposes):
"""Allow users to withdraw consent easily"""
for purpose in purposes:
self.update_consent_status(user_id, purpose, False)
self.stop_processing_for_purpose(user_id, purpose)Data Subject Rights API:
class DataSubjectRights:
def process_access_request(self, user_id, verification_token):
"""Article 15 - Right of Access"""
if not self.verify_identity(user_id, verification_token):
raise UnauthorizedError("Identity verification failed")
personal_data = self.extract_personal_data(user_id)
processing_info = self.get_processing_information(user_id)
return {
'personal_data': personal_data,
'purposes': processing_info['purposes'],
'retention_period': processing_info['retention'],
'third_parties': processing_info['recipients'],
'rights_information': self.get_rights_info()
}
def process_erasure_request(self, user_id, reason):
"""Article 17 - Right to Erasure"""
if self.can_erase(user_id, reason):
self.pseudonymize_or_delete(user_id)
self.notify_third_parties(user_id, 'erasure_request')
return {'status': 'completed', 'method': 'deletion'}
else:
return {'status': 'refused', 'reason': self.get_erasure_refusal_reason()}Data Protection by Default
# GDPR-compliant database design
class PersonalDataModel(db.Model):
id = db.Column(db.Integer, primary_key=True)
# Pseudonymization - don't store real identifiers
pseudonym = db.Column(db.String(64), unique=True, nullable=False)
# Encrypted sensitive fields
email_encrypted = db.Column(db.LargeBinary) # Encrypted email
name_encrypted = db.Column(db.LargeBinary) # Encrypted name
# Processing metadata
created_at = db.Column(db.DateTime, default=datetime.utcnow)
last_accessed = db.Column(db.DateTime)
retention_until = db.Column(db.DateTime)
lawful_basis = db.Column(db.String(50)) # consent, contract, etc.
# Consent tracking
marketing_consent = db.Column(db.Boolean, default=False)
analytics_consent = db.Column(db.Boolean, default=False)
def encrypt_field(self, field_name, value):
"""Encrypt personal data fields"""
key = self.get_encryption_key()
fernet = Fernet(key)
return fernet.encrypt(value.encode())
def check_retention_period(self):
"""Automatically flag data for deletion when retention period expires"""
if datetime.utcnow() > self.retention_until:
self.schedule_for_deletion()
@property
def email(self):
"""Decrypt email on access"""
return self.decrypt_field('email_encrypted')Key Takeaways
Remember:
- ✅ GDPR applies globally if processing EU residents' data
- ✅ Lawful basis required for all processing activities
- ✅ Individual rights must be respected and facilitated
- ✅ Breach notification within 72 hours to authorities
- ✅ International transfers require adequate protection
Best Practices:
- 🔒 Privacy by design and by default
- 📋 Maintain records of processing activities
- 🛡️ Implement data protection impact assessments
- 📚 Regular staff training on data protection
- 🔄 Conduct regular compliance audits and reviews