The General Data Protection

Regulation (GDPR)
Note: This presentation is prepared for the purpose of class lecture only. Do not quote or
reproduce. Data and sources are collected from various official website of the European
Union, secondary sources (books, journals articles, blogs)
 Introduction
• GDPR-Europe’s new data privacy and security law.
• Protection Principles for processing of personal data.
• Came into effect on May 25, 2018
• Imposes obligations onto organizations anywhere, so long as
they target or collect data related to people in the EU
• The GDPR will levy harsh fines against those who violate its
privacy and security standards, with penalties.
 Key Principles
• Fair and lawful processing
• In the case of processing on the basis of the law, this law should already
ensure that these principles are observed (e.g. the types of data, storage
period and appropriate safeguards).
• Purpose limitation
• Prior to processing personal data, individuals must be informed about
the processing, such as its purposes, the types of data collected, the
recipients, and their data protection rights.
• Data minimisation and data retention
• Collect and process only as much data as absolutely necessary for the
purposes specified.
 Protection and accountability principles
(Article 5.1-2)
Protection

1.Lawfulness, fairness and transparency — Processing must be lawful, fair,

and transparent to the data subject.
2.Purpose limitation — You must process data for the legitimate purposes
specified explicitly to the data subject when you collected it.
3.Data minimization — You should collect and process only as much data as
absolutely necessary for the purposes specified.
4.Accuracy — You must keep personal data accurate and up to date.
5.Storage limitation — You may only store personally identifying data for as long
as necessary for the specified purpose.
6.Integrity and confidentiality — Processing must be done in such a way as to
ensure appropriate security, integrity, and confidentiality (e.g. by using
encryption).
7.Accountability — The data controller is responsible for being able to
demonstrate GDPR compliance with all of these principles.
 People’s privacy rights

• The GDPR recognizes a litany of new privacy rights for data

subjects (Article 12-23) (https://gdpr.eu/tag/chapter-3/)

• Aim to give individuals more control over the data they loan to
organizations/firm

• As an organization/firm, it’s important to understand these

rights to ensure that the organisation/firm is GDPR compliant.
 Contd…
• Below is a rundown of data subjects’ privacy rights:
1.The right to be informed
2. The right of access
3.The right to rectification
4.The right to erasure
5.The right to restrict processing
6.The right to data portability
7.The right to object
8.Rights in relation to automated decision making and profiling.
 Accountability
• Appointment of Data controllers to ensure GDPR compliant.
• Data controllers have to demonstrate their company/firms are
GDPR compliant. If you think you are compliant with the GDPR
but can’t show how, then you’re not GDPR compliant.
• Maintain detailed documentation of the data collected.
Example, how it’s used, where it’s stored, which employee is
responsible for it, etc.
• Train staff and implement technical and organizational security
measures.
• A firm(s) should have a Data Processing Agreement with third
parties in place to process data.
• Appoint a Data Protection Officer (though not all organizations
need one).
 Data protection by design and by default
• Practically speaking, consider the data protection principles in the design of any
new product or activity (Article 25).
(Suppose, for example, you’re launching a new app for your company. You have to think about what personal
data the app could possibly collect from users, then consider ways to minimize the amount of data and how
you will secure it with the latest technology.)
Consent
• There are strict new rules about what constitutes consent from a data subject to
process their information (Article 7)- https://gdpr.eu/article-7-how-to-get-consent-to-collect-
personal-data/
• Consent must be “freely given, specific, informed and unambiguous.”
• Requests for consent must be “clearly distinguishable from the other matters” and
presented in “clear and plain language.”
• Data subjects can withdraw previously given consent whenever an individual want,
and the firm have to honor their decision. The firm can’t simply change the legal
basis of the processing to one of the other justifications.
• Children under 13 can only give consent with permission from their parent.
• The firm need to keep documentary evidence of consent.
 Data security
• Handle data securely by implementing “appropriate technical
and organizational measures.” (https://gdpr.eu/recital-78-
appropriate-technical-and-organisational-measures/)
• Two-factor authentication on accounts where personal data are
stored to contracting with cloud providers that use end-to-end
encryption.
• Organizational measures: staff trainings, data privacy
policy handbook, limiting access to personal data to all
employee, except to those necessary.
• In case of data breach, the firm have 72 hours to tell the
data subjects or face penalties
 Conclusion
(https://www.politico.eu/article/eu-gdpr-privacy-law-europe-president-ursula-von-der-leyen/

• Long seen as untouchable in Brussels, the GDPR is next on the list of

the EU’s crusade against overregulation
(https://www.politico.eu/article/eu-gdpr-privacy-law-europe-
president-ursula-von-der-leyen/) April 3, 2025.
• Slashing regulation is a key focus for Commission President Ursula von
der Leyen.
• An attempt to make businesses in Europe more competitive with
rivals in the United States, China and elsewhere
• The European Commission plans to present a proposal to cut back the
General Data Protection Regulation.
Contd…

• The GDPR is seen as one of Europe's most complex pieces of

legislation by the technology sector — and by businesses far and
wide beyond tech (especially SMEs)
• The criticism of the GDPR echoes the views of former Italian
Prime Minister Mario Draghi’s Report
(https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en)
"The EU's regulatory stance towards tech companies hampers
innovation"
Contd…
• Challenges to data privacy in the age of AI
• Regulation, protection of privacy vs over-regulation
Example- “Social media technology giant Meta announced on
April 14 that it is starting the use of publicly available
data belonging to users in the European Union (EU) to train
its artificial intelligence (AI) models”
https://www.medianama.com/2025/04/223-meta-uses-eu-public-posts-to-train-ai-models/