Glossary
What is GDPR — the EU's data-protection rules and breach-notification duty
GDPR (the EU General Data Protection Regulation) is a comprehensive law protecting personal data of people in the EU. This explains who it applies to, what it requires — data minimization, consent, breach notification, heavy fines — and the defensive basics: collect and hold only the personal data you truly need.
GDPR is the personal-data law to be aware of if you serve EU users. Here are the essentials and the defensive basics in technical/operational terms — no attack steps.
What it requires
Beyond the legal detail, focus on the operating pillars that actually work as defense.
Don't collect or hold it (data minimization)
Collect and keep only the minimum personal data your purpose needs. Data you don't hold can't leak — the strongest defense. Delete it when it's no longer needed.
Protect it (encryption, access control)
Encrypt personal data and scope it to "only those who may touch it" via authorization. Keep secrets off the public surface (→ keep secrets out of public directories).
Detect and report (the 72-hour rule)
Detect a breach quickly and keep logs to trace its impact. Be ready to notify the authority within ~72 hours. With no detection, you can't meet the duty.
'Not relevant' isn't a safe assumption
GDPR can apply wherever a business is located if it offers goods/services to people in the EU or monitors their behavior. If you serve EU users or handle their personal data, "we're not an EU company" doesn't make it irrelevant. A practical start is an inventory of which personal data you hold and why.
This site's view: compliance and defense point the same way
GDPR's requirements point the same direction as the defense this site preaches: minimize personal data, encrypt it, scope it with authorization, and be able to detect and record a breach. That's not only for the law — it's the basic way to have fewer incidents. Treating regulation as "a re-check of your defenses" rather than "extra burden" is the realistic stance for a small operation.
Read next
- Basics: authentication vs authorization (scope data to its owner) · the minimum security checklist
- Glossary: public-key crypto · PCI DSS (another standard for sensitive data)
- Related: OWASP Top 10 · the history of security (timeline)
Source
- European Commission — GDPR (official): commission.europa.eu
FAQ
QDoes GDPR apply to businesses outside the EU?
It can. GDPR can apply wherever a business is located if it offers goods or services to people in the EU, or monitors their behavior. If you serve EU users or handle their personal data, you may be in scope — 'we're not an EU company' doesn't automatically mean 'not relevant.'
QWhat are the technical essentials of GDPR?
Broadly: (1) obtain a lawful basis (e.g. consent) and state a clear purpose; (2) collect and hold only the minimum data needed (data minimization); (3) protect personal data with encryption and access control; (4) be able to honor access/erasure requests; (5) be able to detect a breach quickly and notify the authority, generally within 72 hours.
QWhat do I do if there's a breach?
Under GDPR you generally must notify the supervisory authority within 72 hours of becoming aware of a personal-data breach (and sometimes the affected people). That's exactly why you need to be able to detect an incident quickly and have logs to trace its scope. Without detection and records, you can't even meet the notification duty.