The 99 articles of the General Data Protection Regulation (GDPR) emphasize various crucial aspects of data protection, of which the top 10 can be summarized as follows:
Data Subject Rights are central to GDPR, encompassing the right to access, rectify, erase personal data, and the right to data portability. The regulation outlines a Lawful Basis for Processing, requiring explicit consent for data processing and recognizing other lawful bases such as legitimate interests and legal obligations. Data Protection by Design and Default is another key aspect, mandating that data protection principles be integrated into systems and practices with privacy as the default setting.
Responsibilities of Data Controllers and Processors are also emphasized, including the need to maintain records of processing activities, implement security measures, and conduct impact assessments for high-risk processing. The GDPR imposes restrictions on Cross-border Data Transfers, ensuring adequate protection levels or specific safeguards for data transferred outside the EU.
Consent Requirements under GDPR are stringent; consent must be freely given, specific, informed, and unambiguous, and easily withdrawn. Data Breach Notifications are mandated, requiring relevant authorities to be notified of certain data breaches within 72 hours, and affected individuals to be informed if there is a high risk to their rights and freedoms.
Accountability and Governance are key, requiring organizations to demonstrate GDPR compliance and appoint a Data Protection Officer in specific cases. Special protection is afforded to Children's Data, with parental consent required for processing data of children below a certain age. Finally, Penalties and Fines for non-compliance are significant, with fines based on the severity of the breach and the company's efforts to mitigate the damage.