amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc3976fb7f792cae1423e37b6067c57efa23f288
hermes-brain/ideas/compliance/gdpr.org
Hermes cc3976fb7f ideas: editorial sweep — atomization, interlinking, restructuring 
- Split competitive-analysis-2026-05.org → TOC + 9 competitor files in
  ideas/competitors/. Dropped date from filename. All competitor UUIDs
  generated, TOC keeps original UUID for backlink continuity.
- Deleted passepartout-economics.org archive (replaced by 27-node KB).
- Inlined 5 'See also' blocks into natural prose (compliance-index,
  first-mover-window, revenue-table, orders-of-magnitude-time,
  native-org-knowledge-base).
- Linked 7 orphan compliance pages back to compliance index + finished
  truncated sentences.
- Linked all 14 Agora requirement docs from topic-relevant pages
  (identity→lisp-machine-security, infrastructure→compute-marketplace,
  social-space→growth-strategy, exchange→agora-contracts, etc.).
- Linked ai-industry-impact from investment-thesis, sufficiency-flip,
  verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages).
- Fixed CREATED timestamps to use git commit dates instead of today.
- Made all links absolute from root (no port inheritance).
- Removed stale agora/docs/ duplicate content.
2026-05-24 16:25:55 +00:00

56 lines
2.5 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: 513d5996-4ac7-4567-a992-18fc01599104
:ID: auto-gdpr
:CREATED: [2026-05-23 Sat]
:END:
#+title: GDPR (General Data Protection Regulation)
#+filetags: :passepartout:compliance:framework:gdpr:
* GDPR (General Data Protection Regulation)
** What it is
EU regulation (effective May 2018) governing the processing of personal data of
natural persons in the EU. Extraterritorial — applies to any organization
processing EU personal data regardless of where the organization is based.
Key requirements:
- Lawful basis for processing (consent, contract, legal obligation, vital
interests, public task, legitimate interests)
- Data minimization — collect only what is necessary
- Purpose limitation — do not reuse data for incompatible purposes
- Storage limitation — delete when no longer needed
- Right of access, rectification, erasure (right to be forgotten),
data portability, restriction, objection
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Protection Officer (DPO) appointment for certain controllers/processors
- Data Processing Agreements (DPAs) between controllers and processors
** Who must comply
Any organization that processes personal data of EU residents. Includes
controllers (determine purposes and means) and processors (process on behalf
of controller). Non-EU organizations with EU data subjects are in scope.
** Penalties
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
system. Supervisory authorities in each member state enforce. Private right
of action for damages.
** Why it matters for the triad
GDPR is the most extraterritorial and aggressively enforced privacy framework.
The gate stack's principle of least privilege maps naturally to GDPR's data
minimization requirement. Every data access is gated by a verified rule that
states the purpose — the proof log is a built-in DPIA artifact. For the
[[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]: a provider processing proofs on EU users' gate data must
maintain DPAs with all clients. Proof logs themselves may constitute personal
data if they reference natural persons (names in access rules, etc.), creating
a demand for privacy-preserving proof techniques. This is why the
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][GDPR gate package]] includes data-processing agreement templates and
purpose-boundary gate rules that are independently verified by the provider's
[[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]].
Reference in New Issue View Git Blame Copy Permalink