🔍 GDPR — The General Data Protection Regulation

GDPR

Came into force: May 2018
Jurisdiction: European Union (EU)
Purpose: Protect the personal data of EU residents and citizens, both within and — under certain conditions — outside EU borders.

---

What GDPR Protects

• Personal Data – any information relating to an identified or identifiable natural person (name, ID number, location data, online identifier, or factors specific to their identity).

• Special Categories of Data – sensitive data such as racial/ethnic origin, political opinions, religious beliefs, health information, biometric data, and sexual orientation.

---

Who GDPR Applies To

GDPR has a territorial scope that goes beyond the EU’s physical borders.

1. EU Residents

• If a person is living in the EU, GDPR applies to the processing of their personal data — regardless of nationality.

• Example: An Australian living in Paris is protected by GDPR.

2. EU Citizens

• GDPR also protects EU citizens even when they are outside the EU, if their personal data is processed in connection with:

  • An organization offering goods or services to individuals in the EU, or

  • Monitoring their behavior within the EU.

• Example: A Spanish citizen living in Canada buys from an EU-based online store; GDPR applies to that transaction.

---

Key Principles

GDPR is built around seven core principles that guide all processing activities:

1. Lawfulness, Fairness, Transparency – processing must have a legal basis, be fair, and clearly explain how data will be used.

2. Purpose Limitation – collect data only for specific, legitimate purposes.

3. Data Minimization – gather only the minimum data necessary for the purpose.

4. Accuracy – keep personal data up-to-date and correct inaccuracies promptly.

5. Storage Limitation – store data no longer than necessary.

6. Integrity and Confidentiality – protect data with appropriate security measures.

7. Accountability – be able to demonstrate GDPR compliance.

---

Data Subject Rights

GDPR grants individuals powerful rights over their personal data:

• Right to Access – know what data is held about them.

• Right to Rectification – correct inaccurate data.

• Right to Erasure (“Right to be Forgotten”) – request deletion of their data.

• Right to Restrict Processing – limit how data is used.

• Right to Data Portability – obtain their data in a portable format.

• Right to Object – stop processing based on certain grounds.

• Rights related to Automated Decision-Making – safeguard against profiling without human intervention.

---

Obligations for Organizations

• Lawful Basis for Processing – consent, contract, legal obligation, vital interest, public task, or legitimate interest.

• Data Protection Officer (DPO) – mandatory for public authorities and certain high-risk processors.

• Data Breach Notification – must notify supervisory authority within 72 hours of becoming aware of a breach.

• Privacy by Design and Default – security and privacy must be built into systems from the start.

---

Penalties

• Lower-tier: Up to €10 million or 2% of annual global turnover (whichever is higher).

• Higher-tier: Up to €20 million or 4% of annual global turnover.

---

Neuromesh Example

Susan from HR sends Anya a product demo dataset containing real customer records.

• Even though it’s “internal,” GDPR still applies — there’s no internal-use exemption.

• Without anonymization, Neuromesh risks regulatory fines, breach notification obligations, and reputational damage.

Marcus reminds Anya: GDPR isn’t just about avoiding fines — it’s about earning and maintaining customer trust by respecting their privacy rights.

---

Follow the Series

#AanyaInCyberSecurity #CISSP #WomenInCyberforce #FromDevToDefender #InfoSec #CyberLeadership #TechStorytelling #CareerGrowth #WeSTEMplus #WomenInTech #womenincyber #Women4Cyber #w4c #W4C #Governance #CIA