Accountability, Rights, and Global Action: Key Updates on the GDPR

General Data Protection Regulation (GDPR): A Groundbreaking Standard in Data Protection

Since its enforcement in May 2018, the General Data Protection Regulation has become a global standard for data protection. The regulation has completely transformed the approach to personal data protection. It introduced a range of legal, procedural, and technological innovations that continue to have a significant impact worldwide.

What tangible and key innovations has the regulation introduced?

Substantive Responsibility Instead of Formal Compliance

One of the most important novelties of the regulation is the emphasis on the principle of accountability. Article 5(2) requires those responsible for processing to not only comply with data processing principles but also demonstrate their ability to do so.

Thus, compliance must be preventive and proactive, not just formal. This principle has established new practices in the data processing process. Organizations are required to document the data processing process (Article 30), conduct Data Protection Impact Assessments (DPIA, Article 35), and integrate Privacy by Default & by Design settings (Article 25) into the processing process.

Expansion and Consolidation of Individual Rights

Although previous European legislation on data protection (Directive 95/46/EC) recognized certain rights, the regulation perfected them and created effective mechanisms for their implementation.

Particularly noteworthy is the right to data portability (Article 20), which allows data subjects to receive their own data in a structured, machine-readable format and transfer it to another data controller, thereby enhancing digital competition. Also significant is the right to erasure (Article 17), often referred to as the "right to be forgotten".

Additionally, the right related to automated decision-making and profiling processes (Article 22) ensures that decisions made using algorithms are accompanied by human oversight.

These rights come with specific obligations for organizations — they must ensure transparent communication, timely response, and most importantly, the data subject has access to data protection supervisory authorities, which gives the rights real enforceability.

Extraterritoriality and Global Impact

One of the most notable innovations of the regulation is its extraterritorial application. According to Article 3, the regulation applies to companies registered outside the EU that offer services or goods to EU citizens or monitor their behavior.

This rule has granted the regulation global standard status. Many countries — including Brazil, South Korea, and certain US states (e.g., California) — are based on or inspired by the regulation's principles. As a result, EU citizens' data is better protected, and global companies are compelled to align their standards with the regulation's requirements.

Data Protection by Default and Design

Data protection by default and by design (Privacy by Default & by Design, Article 25) originated in academic and scientific circles, but the regulation granted it legal force.

Organizations are required to ensure, through technical and organizational measures, that only necessary data is processed, in minimal quantity, and for a specified purpose.

This principle influences the development of technologies — companies are turning to anonymization and pseudonymization methods to strengthen privacy protection at the software settings and processing initial stages.

Clear Sanctions and Enhanced Enforcement Tools

One significant innovation of the regulation is the sanctions mechanism, which includes fines that can reach up to 4% of a company's annual global revenue or 20 million euros. This mechanism effectively changes businesses' attitudes towards data protection.

Various national data protection supervisory authorities, including Ireland’s DPC, France’s CNIL, and Germany’s BFDI, actively exercise their authority in imposing sanctions. High fines on giants like Meta and Amazon demonstrate that enforcement of the regulation is not merely a formal "threat" but a real legal tool.

Challenges and Perspectives

Despite its scale, the regulation requires refinement in terms of consistent enforcement and addressing technological challenges. For instance, the Schrems II decision, which annulled the EU-US Privacy Shield agreement, highlighted the complexities of international data transfers. Nonetheless, the GDPR remains a living instrument — it is flexible, adaptable, and sufficiently principled for encouraging legal innovations.

Therefore, the regulation is much more than a legal document — it represents a new social contract for the digital age. Its innovations: the principle of accountability, the right to data portability, global status — foster a new culture of data governance. This regulation continues to define global standards and strengthen human rights in the digital space.