Menu

General Data Protection Regulation

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a law created by the European Union (EU) to protect people’s personal data. It became enforceable on 25 May 2018 and applies to any organization that collects or uses personal data of people in the EU, even if the organization is not physically located in Europe.

In simple terms, GDPR sets the rules for:

  • How organizations may collect personal data
  • How they must store and protect it
  • What they can and cannot do with it
  • What rights individuals have over their own data

Key Concepts in GDPR

What is Personal Data?

Personal data is any information that can identify a person directly or indirectly. Examples:

  • Name, address, phone number
  • Email address (like john@example.com)
  • Identification numbers (like ID, passport, tax number)
  • Location data, IP address, cookie identifiers
  • Information about health, salary, religion, biometrics, etc.

Data Subject

A data subject is the person whose personal data is being collected or processed.
For example, you are the data subject when a website stores your name and email.

Data Controller

A data controller is the organization or person that decides:

  • Why the personal data is collected (the purpose)
  • How the personal data will be processed

Example: An online shop that collects your name and address to deliver products is a data controller.

Data Processor

A data processor is an organization or person that processes personal data on behalf of the controller.

Example: A cloud hosting provider that stores the online shop’s database is a data processor.

Processing of Personal Data

Processing means any operation performed on personal data, such as:

  • Collecting
  • Recording
  • Storing
  • Using
  • Sharing
  • Deleting

Legal Framework of EU Data Protection

GDPR is part of the broader EU data protection framework.
This framework is built around the idea that privacy and protection of personal data are
fundamental rights of individuals in the EU.

Role of the European Union and European Commission

The European Commission is the EU institution that proposes laws and ensures they are applied correctly.
For data protection:

  • It proposed the GDPR to replace the older Data Protection Directive (1995).
  • It monitors how EU Member States implement and enforce GDPR.
  • It can propose updates or new rules when needed.

Supervisory Authorities (Data Protection Authorities)

Each EU country has a Supervisory Authority or Data Protection Authority (DPA). Their job is to:

  • Enforce GDPR in that country
  • Handle complaints from individuals
  • Investigate organizations and issue fines
  • Provide guidance and recommendations

Example: In Ireland, the Data Protection Commission (DPC) supervises many big tech companies that have EU headquarters there.

European Data Protection Board (EDPB)

The European Data Protection Board (EDPB) is a group that brings together all national supervisory authorities and the European Data Protection Supervisor. It:

  • Helps ensure GDPR is applied consistently across all EU countries
  • Issues guidelines and recommendations
  • Resolves disputes between national authorities

Scope of GDPR

GDPR applies when:

  • The data subject is in the EU (citizen or not)
  • The organization is based in the EU, or
  • A non-EU organization offers goods/services to people in the EU or monitors their behavior (e.g., tracking with cookies)

This means even companies outside Europe must follow GDPR if they deal with EU users’ personal data.

Core Principles of GDPR

GDPR is built on a set of core principles that every organization must follow when handling personal data:

Lawfulness, Fairness, and Transparency

Data must be processed legally, fairly, and in a transparent way.
People should know what is happening to their data and why.

Purpose Limitation

Personal data must be collected for clearly defined, legitimate purposes
and not used for other unrelated purposes later on.

Data Minimization

Only the minimum amount of data necessary for the specified purpose should be collected.

Accuracy

Personal data must be kept accurate and up to date.
Incorrect data should be corrected or deleted.

Storage Limitation

Data should not be kept longer than necessary for the purpose it was collected for.

Integrity and Confidentiality (Security)

Organizations must protect personal data using appropriate security measures
(encryption, access control, etc.) to prevent unauthorized access, loss, or damage.

Accountability

The organization (controller) is responsible for complying with GDPR and must be able to demonstrate this compliance (documents, policies, records, etc.).

Lawful Bases for Processing Personal Data

Under GDPR, you cannot process personal data unless you have a lawful basis.
The main lawful bases are:

Consent

The individual has clearly agreed to the processing for a specific purpose.
Consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous

Example: A user ticks a checkbox to receive marketing emails.

Contract

Processing is necessary to perform a contract with the individual or to take steps before entering into a contract.

Example: An e-commerce site needs your address to deliver your order.

Legal Obligation

Processing is necessary to comply with a legal obligation.

Example: A company processes employee salary data to report taxes.

Vital Interests

Processing is necessary to protect someone’s life.

Example: Hospitals sharing patient information in an emergency situation.

Public Task

Processing is necessary to perform a task in the public interest or as part of official authority.

Legitimate Interests

Processing is necessary for the legitimate interests of the organization or a third party,
as long as those interests are not overridden by the rights and freedoms of the individual.

Example: Using limited data for fraud prevention or network security.

Rights of Individuals Under GDPR

GDPR gives strong rights to data subjects. Organizations must respect and support these rights.

Right to Be Informed

People have the right to know how their data is being used.
This is usually done through a clear and simple privacy notice or privacy policy.

Right of Access

Individuals can ask an organization if it is processing their data and request a copy of that data.

Right to Rectification

Individuals can ask to correct inaccurate or incomplete personal data.

Right to Erasure (“Right to be Forgotten”)

In certain situations, individuals can ask for their personal data to be deleted,
especially when it is no longer needed or consent is withdrawn.

Right to Restrict Processing

Individuals can request that their data is not used for certain purposes while the organization still stores it.

Right to Data Portability

Individuals can receive their data in a structured, commonly used, machine-readable format
and transfer it to another service provider.

Right to Object

Individuals can object to certain types of processing such as direct marketing or processing based on legitimate interests.

Rights Related to Automated Decision-Making and Profiling

Individuals have rights when decisions are made about them automatically (without human involvement),
especially when these decisions have significant effects (credit approval, job screening, etc.).

Compliance Guidelines for Organizations

Below are practical steps and guidelines that organizations should follow to comply with GDPR.

Understand and Map Your Data

  • Identify what personal data you collect (names, emails, IP addresses, etc.).
  • Identify where it comes from (forms, logs, third parties).
  • Identify where it is stored (databases, file servers, cloud services).
  • Identify who you share it with (vendors, partners, processors).

This is often called creating a data inventory or data map.

Define Your Lawful Bases

  • For each processing activity, decide which lawful basis applies (consent, contract, legal obligation, etc.).
  • Document the lawful basis and be able to explain it.
  • Do not rely on consent if you cannot offer a real choice.

Update Privacy Notices and Policies

  • Provide clear, simple, and accessible privacy information.
  • Include what data you collect, why you collect it, who you share it with, and how long you keep it.
  • Explain people’s rights and how they can exercise them.

Obtain and Manage Consent Properly

  • Use clear and plain language (no pre-ticked boxes).
  • Make consent specific to each purpose (e.g., separate checkboxes for marketing emails and analytics).
  • Keep records of when and how consent was given.
  • Make it easy to withdraw consent at any time.

Implement Data Protection by Design and by Default

GDPR requires that privacy is built into systems and processes from the beginning, not as an afterthought.

  • Collect only the minimum data needed.
  • Use privacy-friendly defaults (opt-out of tracking unless clearly needed).
  • Use techniques like pseudonymization and encryption where possible.

Ensure Data Security

  • Use strong access controls and authentication.
  • Encrypt sensitive data in transit (HTTPS) and at rest where appropriate.
  • Regularly patch and update systems.
  • Backup data and test recovery plans.
  • Perform regular security assessments or audits.

Maintain Records of Processing Activities

  • Document what data you process, why, where it is stored, and who it is shared with.
  • These records may be needed if a regulator investigates your organization.

Manage Data Subject Requests

  • Set up processes to handle requests: access, rectification, deletion, etc.
  • Respond within the required time (usually one month).
  • Verify the identity of the requester to avoid data leaks.

Handle Data Breaches

A data breach is a security incident that leads to accidental or unlawful destruction, loss, change, unauthorized disclosure, or access to personal data.

  • Have an incident response plan.
  • Assess the risk to individuals.
  • Notify the supervisory authority within 72 hours when required.
  • Inform affected individuals if the risk is high (e.g., passwords, financial data leaked).

Appoint a Data Protection Officer (DPO) When Required

Some organizations must appoint a Data Protection Officer, especially if:

  • They are a public authority, or
  • They carry out large-scale systematic monitoring (e.g., tracking users), or
  • They process large-scale special categories of data (health, biometrics, etc.).

The DPO advises on data protection and monitors compliance.

Assess High-Risk Processing with DPIAs

For processing likely to result in high risk to individuals (e.g., new technologies, extensive profiling),
organizations should perform a Data Protection Impact Assessment (DPIA).

  • Describe the processing and its purpose.
  • Assess necessity and proportionality.
  • Identify risks to individuals.
  • Describe measures to reduce those risks.

Manage Third Parties and Data Processors

  • Have written contracts (Data Processing Agreements) with processors.
  • Ensure processors follow GDPR and have adequate security.
  • Monitor and review processors regularly.

Penalties for Non-Compliance

GDPR allows supervisory authorities to impose significant fines on organizations that do not comply.

  • Fines can go up to 20 million EUR or 4% of the worldwide annual turnover of the previous financial year (whichever is higher) for the most serious violations.
  • In addition to fines, organizations may suffer reputational damage and loss of customer trust.

Summary for Beginners

  • GDPR is an EU law to protect personal data and privacy.
  • It applies to any organization handling data of people in the EU, even if the organization is outside the EU.
  • It defines clear roles: data subject, controller, and processor.
  • It introduces principles like data minimization, transparency, security, and accountability.
  • Individuals get strong rights over their data (access, correction, deletion, etc.).
  • Organizations must follow strict compliance guidelines and can face heavy penalties if they fail.

 

Related Posts

Banking Domain Concepts

Banking Domain Concepts The banking domain is a crucial part of the financial services sector. It involves handling financial transactions, providing credit facilities, managing deposits, and offering investment solutions to individuals and businesses. Understanding the core concepts in banking is essential for those involved in banking software development, testing, and financial services. Core Banking Core […]

Bluevine Funding Solutions

Bluevine Funding solutions

Bluevine Funding solutions For small businesses, accessing flexible funding is crucial to managing daily operations, seizing growth opportunities, or covering unexpected expenses. Bluevine is one of the leading financial technology providers offering a modern solution — a business line of credit designed for today’s entrepreneurs. If you’re a small business owner unfamiliar with the concept, […]

Capital Products for SMBs

Capital Products for SMBs Small and Medium Businesses (SMBs) often require financial support to manage operations, scale growth, and handle cash flow gaps. Traditional funding methods, such as bank loans, are sometimes slow and inaccessible. This is where FinTech companies step in with innovative capital products that are tailored for the unique needs of SMBs. […]