Compliance

General Data Protection Regulation

General Data Protection Regulation (GDPR) is a legal framework introduced by European Union (EU) effective on 25 May 2018. It governs the collection , processing , storage and protection of personal data of individual within EU and European Economic Area (EEA). It also applies to organization outside the EU that offer goods or services to , or monitor the behavior of EU data subject.

kaykay
Sep 11, 2025 - 18:01
Oct 8, 2025 - 18:15
General Data Protection Regulation

Key Definitions

Data : An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data : means any information relating to an identified or identifiable natural person.

Data subject : Any identified or identifiable natural person whose personal data is been collected or processed. 

Profiling : It means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Pseudonymization : It means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Recipient : It  means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

Third party : It means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. 

Consent : Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data breach : It means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Genetic data : It means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Processing : means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or  destruction.

Data concerning health : It means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 

Biometric data : It means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.

Restriction of processing : It means the marking of stored personal data with the aim of limiting their processing in the future

Data Controller : The natural or legal person , public authority , agency , or body which determines the purpose and means of processing personal data.

Responsibilites :

  • Ensure lawful basis for processing. 
  • Implement security measure.
  • Protect rights of data subject.

Data Processor : The natural or legal person , public authority , agency , or body which processes personal data on behalf of the data controller

Responsibilities : 

  • Process data only under controller's instrutions.
  • Maintain data security.
  • Notify breaches to the controller.

The 7 Principles of GDPR

GDPR is build on seven core principles, which guid all processing of personal data.

1) Lawfulness ,Fairness , and Transparency

  • Data must be processed lawfully , fairly , and transparency in relation to the data subject.
  • Example : Informing users how their data will be used when they sign up.

2) Purpose Limitation 

  • Data must be collected for specified , explicit, and legitimate purposes and not further processed in an incompatible way.
  • Example : Collecting an mail for order confirmation should not be used for unrelated marketing without consent.

3) Data Minimization 

  • Only collect data that is adequate , relevent , and limited to what is necessary.
  • Example : A  hotel booking form should not request unrelated information like  religion.

4) Accuracy 

  • Personal data must be accurate and where necessary , kept up to date.
  • Example : Customers must have options to update there adresses in records.

 5) Storage Limitation 

  • Personal data should be kept no longer than necessary for the purposes for which it is processed.
  • Example : Deleting the job applicant data after the recruitment process ends, unless permission to retain is given.

6) Intergrity and Confidentiality (Security)

  • Data must be processed in a manner ensuring appropriate security ,  including protection against unauthorized or unlawful processing and accidental loss.
  • Example : Encrypting customer payment details.

7) Accountability 

  • The data controller is responsible for compliance with the above principles.
  • Example : Maintaining records of processing activitiies and conducting Data protection impact assessments.

Rights of Data subject

  • Right to be informed 
  • Right of access.
  • Right to rectification.
  • Right to be forgotten.
  • Right to restrict processing.
  • Right to Data portability.
  • Right to object
  • Right related to automated decision-making and profiling.

Penalties for Non-Compliance 

  • Fines upto 20 million euro or 4% of annual global turnover. which ever is high.
  • Reputation damage and loss of trust.

Conclusion 

GDPR is not just about compliance but about building trust with individuals. Organizations must embed privacy into their operations , uphold the seven principles, and respect the right of data subject to avoid legal, financial and reputational risk. 

kay
kay

Related Posts

The DPDP Act, 2023: India's New Era of Data Privacy and Cybersecurity

The DPDP Act, 2023: India's New Era of Data Privacy and...

Shivi_k Sep 30, 2025

Digital accessibility under ADA title III and section 508

Digital accessibility under ADA title III and section 508

kay Sep 16, 2025

NIST Cyber Security Framework

NIST Cyber Security Framework

kay Sep 19, 2025

GDPR Handbook for Cybersecurity Professionals

GDPR Handbook for Cybersecurity Professionals

noddy Sep 29, 2025

System and organization controls (SOC 2)

System and organization controls (SOC 2)

kay Sep 15, 2025

Navigating Compliance in 2025: Trends, Challenges & Strategic Shifts

Navigating Compliance in 2025: Trends, Challenges & Str...

sbow Aug 28, 2025