GDPR Overview: Understanding the EU's Data Protection Law

This is a summary of what the General Data Protection Regulation is about and a high-level overview of the law and its implications. What is GDPR, the EU’s new data protection law? It’s a data privacy regulation from Europe that grants rights and control to individuals in the EU/EEA over their personal information.

GDPR is an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. The GDPR applies in all EU Member states, which makes it easier for both businesses and citizens. New to the GDPR: Same law throughout Europe.

But I find that most businesses don’t always understand what the purpose of the GDPR is and what these core principles mean or what they refer to regarding privacy compliance. I also find it interesting regarding the inclusivity of who it covers.

Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data. Interests, information about past purchases, health, and online behaviour is also considered personal data as it could identify a person.

Processing data means collecting, structuring, organizing, using, storing, sharing, disclosing, erasing and destruction of data. Each organization that processes personal data (which is every organization with employees and customers) must ensure that the personal data it uses fulfils the requirements of the GDPR.

In a nutshell, the main requirements of the GDPR are as follows:

• Use personal data must in line with integrity friendly principles.
• Be honest, open and transparent about how you use data.
• Organisations must only store personal data as long as it is necessary.
• The processing must be safe and secure.
• Organisations must have and maintain the proper documentation that shows that they comply with the regulations.
• Use of personal data must be legal.
• Use of personal data must be respectful to the individuals’ rights.

Businesses are wise to update or establish their data protection compliance programme. By making data protection an essential component of your business, you can better anticipate risks and data breaches before they may occur. PbD is not a new concept in the data protection sphere.

Also known as the right to erasure, the GDPR gives individuals the right to ask organizations to delete their personal data.

The GDPR provides each person with certain rights of their personal data. They have the right to gain access to their personal data. They have a right to know how an organization is using the data, to object to the processing, etc.

The Right to Access (Article 15): Individuals can request to view any personal data collected from them. You must explain to them why you collected the information and who you’ve shared it with. The Right to Rectification (Article 16): If data collected about an individual is inaccurate, the individual can request a correction (rectification). The organization processing the data must respond as soon as possible, and within one month, they must correct the information accordingly. A data subject can also request the completion of incomplete information. The Right to Erasure (Article 17): Individuals can request that you permanently delete their information if the data is no longer relevant or because the user withdraws their consent. The Right to Restrict Data Processing (Article 18): An individual can request to limit how their data is processed when certain conditions apply, such as if the processing is unlawful or if the individual has objected to it. The Right to Data Portability (Article 20): When users request to view their data, they must receive it in a clear format. The controller who provides this information cannot prevent or impede the data subject’s ability to give the data to another controller.

Manage the citizens’ and individuals’ rights efficiently. If a data subject contacts you to exercise their rights under the GDPR, which are many, you must be able to act quickly. The data subject has the right to access its personal data and receive a record of the data you hold, to have the data corrected in case of errors, to have the data deleted if certain criteria are met, to have its data exported under certain circumstances and is entitled to object or restrict certain use cases of its personal data. There are time limits to be met when managing these requests.

Personal data is valuable; there are no two ways about it. Data makes it possible to develop business models, gain an understanding of its customers, conduct effective marketing campaigns and develop its products and services. But just as for many other assets, there is a need for responsible use based on common rules.

If personal data is disclosed, accessed, changed or stolen you are responsible to act. New to the GDPR: Personal data breaches must be reported within 72 hours. This even if the breach happened at one of your suppliers. If you can determine that no personal data was risked then it is probably not an event that must be reported. The data subjects themselves must then be notified “without undue delay” if the data breach is likely to result in a high risk to their rights and freedoms. In the event of loss of sensitive data, such as health or financial data, the incident must be reported to the authority and each affected individual within 72 hours.

Set up processes to manage personal data breach within a 72-hour time frame. If your business is subject to a data breach, you must take steps to minimize the risks. In some cases, you must also contact your supervisory authority and the individuals. A breach could be loss, destruction or unauthorized access to personal data.

Analyze possible risks and impacts on citizens’ rights for the intended use of personal data. Businesses must make a risk assessment if they will use personal data in a new and innovative way, changing cloud suppliers or creating new services. If your intended use of personal data may be considered as risky, with regards to the sensitivity of the data, the scale of processing, etc., you must review the processing and assess the impacts it may have on data subjects. This process is called a Data Protection Impact Assessment (“DPIA”) and is set out in Article 35 GDPR.

Businesses must follow several requirements to comply with the GDPR adequately. Get ready to write this all down; it must go in a privacy policy that you present to your data subjects wherever data processing occurs on your site.

Moreover, you must determine the lawful basis before processing personal data. You must also follow specific conditions outlined by the GDPR to have a valid lawful basis for collecting personal information. It’s important to get this right the first time. The GDPR defines the legal bases companies can use to process personal data.

The GDPR sets out six alternatives to the legal basis (for example consent or contract). If your processing is not based on any of those, it is not lawful. It might be necessary to process personal data for the performance of a contract. It could also be necessary to use personal data to prevent fraud and perform marketing.

The data subject consents to having their data processed. Companies can process a person's data if they consent to it. For consent to be informed, the company must clearly explain what it collects and how it will use that data. For consent to be affirmative, the user must take intentional action to show their consent, such as by signing a statement or checking a box. Consent cannot be the default option, so things like pre-checked boxes violate GDPR. For consent to be freely given, the company cannot influence or coerce the subject in any way. The company cannot require consent to use a service unless the processing is necessary for the service to work. The company cannot bundle consents if the data is being processed for multiple purposes. The subject must be able to accept or reject each processing activity individually. Organizations must keep records of consent. Subjects can withdraw their consent at any time.

Informed: Your users must know what they agree to, which means providing an easy-to-read explanation regarding what data you’re collecting, why you need it, how you will use it, and with whom you will share it. Unambiguous indication: Users must signal that they agree to your data processing practices through an active motion or declaration, such as selecting a checkbox or an appropriately labeled ‘Agree’ button. Affirmative action: Users must take obvious action to express that they agree to your data processing activities. The information must be accessible and written using language the average person can understand.

The data must be processed to carry out a task that is in the public interest or part of the controller's official authority. Journalism is a classic example of a public-interest reason for processing personal data. The data must be processed to pursue a legitimate interest of the controller or a third party. A legitimate interest is a benefit a company could gain through data processing. Examples include doing background checks on employees or tracking IP addresses on a corporate network for cybersecurity purposes. The processing must be necessary to count as a legitimate interest. A company cannot claim a legitimate interest if it can achieve the task without the data in question. Data subjects must also reasonably expect the processing. If subjects would be surprised to hear that their data is being used a certain way, the company likely doesn't have legitimate interest grounds. Organizations must establish and document their bases before collecting data. They must communicate these bases to users.

Regulate the responsibility between Buyer (Controller) and Supplier (Processor). If you are a company which has hired another company to process data on your behalf (such as an IT company providing you with access to their cloud services), you are the “Controller” of the personal data. The hired company will be the “Processor”. For this business relationship, you need a Data Processing Agreement (“DPA”) in addition to the main agreement. A DPA sets out rules for how the Processor may use personal data to fulfil the purpose of the commercial agreement. Businesses commonly use a Data Processing Agreement or DPA to meet these guidelines, outlined in Chapter 4, Article 28.

Keep a data inventory. Each Controller and each Processor must keep a record of information on the use of data. The rules for the record of processing are specified in article 30 GDPR.

The DPO should be reported to the responsible data protection authority in the country your organisation is established. The rules regarding DPO is stated in article 37-39 GDPR. What is a public authority? What are core activities? What is a large scale? DPOs are not personally responsible in case of non-compliance, and they must be independent when carrying out their work.

New to the GDPR: Businesses are responsible for their suppliers. The new law introduces obligations on the controller to contractually regulate that its suppliers follow the data protection obligations. If the supplier should put data at risk the controller will be responsible.

Violating the GDPR leads to hefty fines and public scrutiny. New to the GDPR: The size of the sanctions are significant. Organisations that violate the law may face sanctions of up to the higher amount of 4% of their global sales (the last 12 months) or € 20 million. Additionally, authorities can issue a public reprimand or restrict the undertaking of data collection activity, like banning a company from processing the information of GDPR subjects. The first significant GDPR penalty (approx. €50 million) was issued in January 2019 and didn’t stop there - the regulation has currently amassed a total of €4 billion ($4.5 billion) in fines overall. What are the GDPR Fines? GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses.

The GDPR has an extraterritorial scope, meaning its rules apply beyond traditional territorial borders. In the early days of the GDPR, I remember some US companies taking a tentative approach to targeting advertisements for European users.

GDPR regulators have been busy. On Jan. What is the LGPD? Brazil passed the General Data Protection Law in 2018, and it will come into effect February 2020. This article examines the GDPR vs. GDPR compliance checklist The GDPR is especially daunting for SMEs.

Two years sounds like lots of time to prepare. Of course, the data environment looked significantly different in the mid-90s than in 2016. The DPD was implemented separately by EU and EEA member states and varied significantly between jurisdictions.

According to the GDPR, all data processing performed by any entity must be legal. According to the GDPR, you must take reasonable steps to ensure the personal data you collect is accurate and up to date, wherever necessary. Under the GDPR, your business must take appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing, accidental loss, destruction, and damage. According to the GDPR, organizations must demonstrate that they comply with the previous six principles I just covered, known as the principle of accountability. They need to take ownership and care of it throughout the data lifecycle.

The paradigm shift toward remote working began even before the COVID-19 pandemic broke out. Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity.

We created GDPR.eu to simplify GDPR compliance for small- and medium-sized businesses. Termly can help!

92% of Americans are concerned about their privacy when using the Internet. Only 25% of users believe companies are responsible with their data. doesn’t have a federal law equivalent to the GDPR.

Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium.

Images gallery