General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive legal framework enacted by the European Union to strengthen and unify data protection for all individuals within the EU. It grants citizens significant control over their personal data, including rights of access, rectification, and erasure, fundamentally influencing the field of computer science by mandating principles like "privacy by design" and "privacy by default" in software architecture and data processing systems. From a cybersecurity perspective, GDPR imposes strict obligations on organizations to implement robust technical and organizational security measures to protect personal data from breaches and requires the prompt reporting of such incidents, making data security not just a technical best practice but a critical legal requirement with significant financial penalties for non-compliance.

1. Foundations of GDPR
   1. Introduction to Data Protection Law
      1. Historical Context and Predecessors
         1. Early Data Protection Laws in Europe
         2. Data Protection Directive 95/46/EC
         3. Limitations of Previous Frameworks
      2. Rationale and Objectives of the GDPR
         1. Harmonisation of Data Protection Laws Across the EU
         2. Strengthening Data Subject Rights
         3. Enhancing Accountability and Governance
         4. Facilitating the Digital Single Market
         5. Addressing Technological Developments
   2. Key Terminology and Definitions
      1. Personal Data
         1. Definition and Scope
         2. Examples of Personal Data
         3. Identifiers and Identification Factors
         4. Online Identifiers
         5. Location Data
         6. Biometric Data
      2. Special Categories of Personal Data
         1. Racial or Ethnic Origin
         2. Political Opinions
         3. Religious or Philosophical Beliefs
         4. Trade Union Membership
         5. Genetic Data
         6. Biometric Data for Identification
         7. Health Data
         8. Sex Life and Sexual Orientation
         9. Additional Protections Required
      3. Processing
         1. Definition of Processing Activities
         2. Collection
         3. Recording
         4. Organisation
         5. Structuring
         6. Storage
         7. Adaptation or Alteration
         8. Retrieval
         9. Consultation
         10. Use
         11. Disclosure by Transmission
         12. Dissemination
         13. Alignment or Combination
         14. Restriction
         15. Erasure or Destruction
      4. Controller
         1. Definition and Role
         2. Determining Controller Status
         3. Decision-Making Authority
         4. Purposes and Means of Processing
      5. Processor
         1. Definition and Role
         2. Processing on Behalf of Controller
         3. Processor vs. Controller Distinction
         4. Sub-Processor Relationships
      6. Data Subject
         1. Definition and Rights
         2. Natural Persons
         3. Deceased Persons
      7. Pseudonymisation
         1. Definition and Purpose
         2. Technical Implementation
         3. Differences from Anonymisation
         4. Benefits for Compliance
      8. Anonymisation
         1. Definition and Irreversibility
         2. Techniques and Methods
         3. Testing for Effective Anonymisation
      9. Profiling
         1. Definition and Examples
         2. Automated Processing
         3. Evaluation of Personal Aspects
         4. Risks Associated with Profiling
      10. Personal Data Breach
          1. Definition and Types of Breaches
          2. Confidentiality Breaches
          3. Integrity Breaches
          4. Availability Breaches
      11. Supervisory Authority
          1. Role and Structure
          2. Independence Requirements
          3. One-Stop-Shop Mechanism
          4. Lead Supervisory Authority
   3. Scope of the GDPR
      1. Material Scope
         1. Types of Data and Processing Covered
         2. Wholly or Partly Automated Processing
         3. Non-Automated Processing in Filing Systems
         4. Exclusions and Exemptions
            1. Household Activities
            2. Law Enforcement Processing
            3. National Security
            4. Activities Outside EU Law Scope
      2. Territorial Scope
         1. Establishment in the EU
            1. Processing by EU-Based Organisations
            2. Main Establishment
            3. Other Establishments
         2. Targeting of Data Subjects in the EU
            1. Offering Goods or Services
            2. Monitoring Behaviour
            3. Representative Requirements
         3. Application to Non-EU Organisations
            1. Designation of Representatives
            2. Compliance Obligations