® 
GDPR
Definition
The GDPR (General Data Protection Regulation) is the European privacy law that requires organisations to process and protect personal data carefully.
The GDPR (General Data Protection Regulation) is the European privacy legislation in effect since 25 May 2018. The regulation protects the personal data of EU citizens and imposes strict requirements on organisations processing this data, with fines up to 20 million euros or 4% of global annual turnover.
How does GDPR work?
The GDPR is based on six processing principles: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation and integrity and confidentiality. Organisations may only process personal data with a valid legal basis such as consent, contractual necessity or legitimate interest. Data subjects have extensive rights: right of access, rectification, erasure (right to be forgotten), data portability and objection to processing. A Data Protection Officer (DPO) is mandatory for public authorities and organisations processing special category data at scale.
Data breach notification
In the event of a data breach posing risk to individuals, the organisation must notify the supervisory authority within 72 hours. If the breach poses high risk, the affected individuals must also be informed. Organisations must maintain an internal register of all data breaches including nature, scope and measures taken.
Impact on organisations
GDPR has far-reaching consequences for organisations. Privacy by Design and Privacy by Default are mandatory when designing new systems and services. A Data Protection Impact Assessment (DPIA) is required for high-risk processing activities. Fines are substantial: the Irish regulator fined Meta 1.2 billion euros for illegal transfer of personal data. Organisations must map their entire data processing chain via a processing register.
Protection and compliance
Effective GDPR compliance combines legal and technical measures. Technical: encryption of personal data at rest and in transit, access control based on need-to-know, logging of access to personal data, DLP solutions preventing unauthorised distribution, and regular security testing. Organisational: employee awareness, data processing agreements with suppliers, an up-to-date data breach protocol and regular audits.
How DEFION helps
DEFION supports organisations with the technical side of GDPR compliance through Security Assessments evaluating personal data protection. Pentests identify vulnerabilities that could lead to data breaches. Managed Threat Detection detects unauthorised access to systems containing personal data.