Understanding GDPR: Key Principles, Rights, and Compliance Requirements

1. What is GDPR?

GDPR (General Data Protection Regulation) is an EU regulation that became effective on 25 May 2018. It aims to protect the personal data of individuals within the EU and to regulate how organizations process such data.

2. Core Principles (Seven)

Lawfulness, fairness and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation

Integrity and confidentiality

Accountability

3. Data‑Subject Rights (Eight)

Right to be informed – clear knowledge of how data is collected and used

Right of access – obtain a copy of personal data and processing information

Right to rectification – request correction of inaccurate data

Right to erasure (right to be forgotten) – request deletion of personal data

Right to restriction of processing – pause processing in specific situations

Right to data portability – receive data in a structured, commonly used format and transfer it to another controller

Right to object – oppose processing based on public or legitimate interests or for marketing

Right against automated decision‑making – object to decisions that have legal or significant effects when made solely by automation

4. Key Requirements for Companies

Organizations must have at least one lawful basis for processing, such as explicit consent, contract performance, legal obligation, vital interests, public task, or legitimate interests balanced against data‑subject rights. Consent must be freely given, specific, informed and unambiguous.

Appointment of a Data Protection Officer (DPO) is required for public authorities, core activities involving large‑scale systematic monitoring, or large‑scale processing of special‑category data.

Data‑breach notification must be made to supervisory authorities within 72 hours and to affected users without undue delay when the breach poses high risk.

Privacy‑by‑design and privacy‑by‑default require embedding data protection into product/service design and setting the highest privacy level by default.

Organizations must keep detailed records of processing activities and conduct Data Protection Impact Assessments (DPIA) for high‑risk processing.

Cross‑border transfers outside the EU are restricted and may rely on adequacy decisions (e.g., Japan, UK) or appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules.

5. Penalties

Higher tier: up to €20 million or 4 % of global annual turnover (whichever is higher) for violations of core principles.

Lower tier: up to €10 million or 2 % of global annual turnover (whichever is higher) for failures in record‑keeping, security, or notification duties.

6. Notable Cases

Google – fined €50 million by French regulator (first major GDPR fine).

Meta – fined €1.2 billion for trans‑Atlantic data‑transfer issues.

7. Global Impact and Similar Laws

Brazil’s LGPD – heavily inspired by GDPR.

South Africa’s POPIA – similar framework.

California’s CCPA/CPRA – shares some rights but is more commercially oriented.

China’s PIPL – combines GDPR concepts with local specifics, effective 2021.

8. Compliance Checklist

Data mapping – know what data is collected, where it is stored, and who can access it.

Privacy notice – update to a clear, transparent version.

Consent management – obtain valid consent and record its status.

Process for data‑subject requests – establish internal workflows for access, deletion, etc.

Vendor management – sign Data Processing Agreements with processors.

Security measures – implement technical and organisational safeguards (encryption, anonymisation, access controls).

Employee training – ensure staff understand GDPR obligations.

Contact points – appoint a DPO or EU representative where required.

Incident response – develop a data‑breach response plan.

9. Core Takeaway

GDPR shifts power from companies that freely collect data to individuals who control their own data, representing not only a legal compliance issue but also a broader transformation toward user‑centric, privacy‑respecting business models essential for any organization serving global, especially EU, users.