The General Data Protection Regulation (2016/679, "GDPR") is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals, formally called "data subjects", who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.
The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, and provides flexibility for certain aspects of the regulation to be adjusted by individual member states.

According to the European Commission, "Personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual." The precise definitions of terms such as "personal data", "processing", "data subject", "controller", and "processor" are stated in Article 4 of the Regulation. 

Principles
Personal data may not be processed unless there is at least one legal basis to do so. Article 6 states the lawful purposes are:

(a) If the data subject has given consent to the processing of his or her personal data;
(b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
(c) To comply with a data controller's legal obligations;
(d) To protect the vital interests of a data subject or another individual;
(e) To perform a task in the public interest or in official authority;
(f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).

Security of personal data
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate). Data controllers must design information systems with privacy in mind. For instance, using the highest-possible privacy settings by default, so that the datasets are not publicly available by default and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of the six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.

Article 33 states the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report. Individuals have to be notified if a high risk of an adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33). However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption (Article 34).

Data protection officer

Article 37 requires appointment of a data protection officer. If processing is carried out by a public authority (except for courts or independent judicial authorities when acting in their judicial capacity), or if processing operations involve regular and systematic monitoring of data subjects on a large scale, or if processing on a large scale of special categories of data and personal data relating to criminal convictions and offences (Articles 9 and Article 10) a data protection officer (DPO)—a person with expert knowledge of data protection law and practices—must be designated to assist the controller or processor in monitoring their internal compliance with the Regulation.

A designated DPO can be a current member of staff of a controller or processor, or the role can be outsourced to an external person or agency through a service contract. In any case, the processing body must make sure that there is no conflict of interest in other roles or interests that a DPO may hold. The contact details for the DPO must be published by the processing organisation (for example, in a privacy notice) and registered with the supervisory authority.

The DPO is similar to a compliance officer and is also expected to be proficient at managing IT processes, data security (including dealing with cyberattacks) and other critical business continuity issues associated with the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations. The DPO must maintain a living data inventory of all data collected and stored on behalf of the organization. More details on the function and the role of data protection officer were given on 13 December 2016 (revised 5 April 2017) in a guideline document.

Organisations based outside the EU must also appoint an EU-based person as a representative and point of contact for their GDPR obligations (Article 27). This is a distinct role from a DPO, although there is overlap in responsibilities that suggest that this role can also be held by the designated DPO.
Given a reference text about GDPR, tell me how GDPR helps to secure personal data.
General Data Protection Regulation provides guidelines on storing and processing personal data. Personal data is any information about an identified or identifiable person, also known as the data subject. Personal data includes information such as their:

name
address
ID card/passport number
income
cultural profile
Internet Protocol (IP) address
data held by a hospital or doctor (which uniquely identifies a person for health purposes).

Special categories of data
You may not process personal data about someone's:

racial or ethnic origin
sexual orientation
political opinions
religious or philosophical beliefs
trade-union membership
genetic, biometric or health data except in specific cases (e.g. when you've been given explicit consent or when processing is needed for reasons of substantial public interest, on the basis of EU or national law)
personal data related to criminal convictions and offences unless this is authorised by EU or national law.

Who processes the personal data?
During processing, personal data can pass through various different companies or organisations. Within this cycle there are two main profiles that deal with processing personal data:

The data controller - decides the purpose and way in which personal data is processed.
The data processor - holds and processes data on behalf of a data controller.
Who monitors how personal data is processed within a company?
The Data Protection Officer (DPO), who may have been designated by the company, is responsible for monitoring how personal data is processed and to inform and advise employees who process personal data about their obligations. The DPO also cooperates with the Data Protection Authority (DPA), serving as a contact point towards the DPA and individuals.

Processing data for another company
A data controller can only use a data processor who offers sufficient guarantees, these should be included in a written contract between the parties involved. The contract must also contain a number of mandatory clauses, e.g. that the data processor will only process personal data when instructed to do so by the data controller.

Data transfer outside the EU
When personal data is transferred outside the EU, the protection offered by the GDPR should travel with the data. This means that if you export data abroad, your company must ensure one of the following measures are adhered to:

The non-EU country's protections are deemed adequate by the EU.
Your company takes the necessary measures to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data.
Your company relies on specific grounds for the transfer (derogations) such as the consent of the individual.
When is data processing allowed?
EU data protection rules mean you should process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose. You must ensure that you fulfil one of the following conditions to process the personal data; you:

have been given the consent of the individual concerned
need the personal data to fulfil a contractual obligation with the individual
need the personal data to satisfy a legal obligation
need the personal data to protect the vital interests of the individual
process personal data to carry out the task in the interest of the public
are acting in your company's legitimate interests, as long as the fundamental rights and freedoms of the individual whose data are processed are not seriously impacted. If the person's rights override your company's interests, then you cannot process the personal data.


Agreeing to data processing - consent
Right to access and right to data portability
Right to correct and right to object
Right to erasure (right to be forgotten)
Automated decision-making and profiling
Data breaches – providing proper notification
Responding to requests
Impact assessments
Keeping a record