GDPR

Overview

The General Data Protection Regulation (GDPR) is the cornerstone of EU data protection law. It replaced the Data Protection Directive 95/46/EC and significantly strengthened individuals' rights over their personal data while imposing comprehensive obligations on data controllers and processors.^[1]

GDPR applies to any organization processing personal data of individuals in the EU, regardless of where the organization is established. This extraterritorial scope has made GDPR a de facto global standard for data protection.^[2]

Who Must Comply

• Data Controllers: Organizations that determine the purposes and means of processing personal data
• Data Processors: Organizations that process personal data on behalf of controllers
• Non-EU entities: Any organization offering goods/services to EU residents or monitoring their behavior
• All sectors: Applies across industries with limited exceptions for law enforcement and national security

Key Requirements for Developers

Lawful Basis for Processing

Every processing operation must have a valid legal basis under Article 6:^[3]

1. Consent: Freely given, specific, informed, and unambiguous
2. Contract: Necessary for contract performance with the data subject
3. Legal obligation: Required by EU or Member State law
4. Vital interests: Protecting life of data subject or another person
5. Public interest: Necessary for public interest task or official authority
6. Legitimate interests: Balanced against data subject's rights (not available to public authorities)

Technical Requirements

• Data minimization: Collect only what is necessary for the specified purpose
• Storage limitation: Retain personal data only as long as necessary
• Integrity and confidentiality: Implement appropriate security measures
• Privacy by design and by default: Build data protection into systems from the outset (Article 25)^[4]

Data Subject Rights

Applications must support the following rights:

Breach Notification

• To supervisory authority: Within 72 hours of becoming aware (Article 33)^[5]
• To data subjects: Without undue delay when high risk to rights and freedoms (Article 34)
• Documentation: Maintain records of all breaches regardless of notification requirement

Penalties

GDPR establishes a tiered penalty structure:

• Lower tier: Up to €10 million or 2% of annual global turnover, whichever is higher
• Upper tier: Up to €20 million or 4% of annual global turnover, whichever is higher^[6]

Major fines issued include:

• Amazon (Luxembourg, 2021): €746 million
• Meta/Facebook (Ireland, 2023): €1.2 billion
• Google (France, 2022): €90 million

Implementation Checklist

• Identify all personal data processing activities
• Establish lawful basis for each processing operation
• Implement consent management where applicable
• Create privacy notices meeting transparency requirements
• Build data subject request handling mechanisms
• Implement appropriate security measures
• Establish breach detection and notification procedures
• Conduct Data Protection Impact Assessments for high-risk processing
• Appoint Data Protection Officer if required
• Maintain Records of Processing Activities (RoPA)