GDPR
Came into force: May 2018
Jurisdiction: European Union (EU)
Purpose: Protect the personal data of EU residents and citizens, both within and — under certain conditions — outside EU borders.
What GDPR Protects
Personal Data – any information relating to an identified or identifiable natural person (name, ID number, location data, online identifier, or factors specific to their identity).
Special Categories of Data – sensitive data such as racial/ethnic origin, political opinions, religious beliefs, health information, biometric data, and sexual orientation.
Who GDPR Applies To
GDPR has a territorial scope that goes beyond the EU’s physical borders.
1. EU Residents
If a person is living in the EU, GDPR applies to the processing of their personal data — regardless of nationality.
Example: An Australian living in Paris is protected by GDPR.
2. EU Citizens
GDPR also protects EU citizens even when they are outside the EU, if their personal data is processed in connection with:
An organization offering goods or services to individuals in the EU, or
Monitoring their behavior within the EU.
Example: A Spanish citizen living in Canada buys from an EU-based online store; GDPR applies to that transaction.
Key Principles
GDPR is built around seven core principles that guide all processing activities:
Lawfulness, Fairness, Transparency – processing must have a legal basis, be fair, and clearly explain how data will be used.
Purpose Limitation – collect data only for specific, legitimate purposes.
Data Minimization – gather only the minimum data necessary for the purpose.
Accuracy – keep personal data up-to-date and correct inaccuracies promptly.
Storage Limitation – store data no longer than necessary.
Integrity and Confidentiality – protect data with appropriate security measures.
Accountability – be able to demonstrate GDPR compliance.
Data Subject Rights
GDPR grants individuals powerful rights over their personal data:
Right to Access – know what data is held about them.
Right to Rectification – correct inaccurate data.
Right to Erasure (“Right to be Forgotten”) – request deletion of their data.
Right to Restrict Processing – limit how data is used.
Right to Data Portability – obtain their data in a portable format.
Right to Object – stop processing based on certain grounds.
Rights related to Automated Decision-Making – safeguard against profiling without human intervention.
Obligations for Organizations
Lawful Basis for Processing – consent, contract, legal obligation, vital interest, public task, or legitimate interest.
Data Protection Officer (DPO) – mandatory for public authorities and certain high-risk processors.
Data Breach Notification – must notify supervisory authority within 72 hours of becoming aware of a breach.
Privacy by Design and Default – security and privacy must be built into systems from the start.
Penalties
Lower-tier: Up to €10 million or 2% of annual global turnover (whichever is higher).
Higher-tier: Up to €20 million or 4% of annual global turnover.
Neuromesh Example
Susan from HR sends Anya a product demo dataset containing real customer records.
Even though it’s “internal,” GDPR still applies — there’s no internal-use exemption.
Without anonymization, Neuromesh risks regulatory fines, breach notification obligations, and reputational damage.
Marcus reminds Anya: GDPR isn’t just about avoiding fines — it’s about earning and maintaining customer trust by respecting their privacy rights.
This episode of Anya in Cybersecurity covers Security & Risk Management — part of CISSP Domain 1 preparation. Follow the full series for structured exam readiness.