Menu Close

GDPR for Dummies: Ultimate Guide for Beginners

data protection principles made easy, gdpr made easy
GDPR for Dummies

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) was enforced in May 2018. GDPR was initially implemented in 2016, giving organizations a 2-year grace period for applying the regulation. The regulation was then launched by European Union to protect the personal data of their citizens. The data protection laws designed within GDPR offer more rights to the data subjects. This prevents businesses from misusing the personal data collected from individuals while offering their services and products. Furthermore, businesses catering to the needs of EU citizens need to comply with GDPR irrespective of their location.

What are data subjects?

Data subjects in this context are citizens of the European Union. The data-driven world has necessitated individuals to secure their data, which can be used for unregulated purposes. As a result, European Union, European Parliament, and European Commission came up with the idea of protecting their citizens’ data by giving them authority to decide. This further necessitated every organization conducting its activities with EU citizens to ask for their approval before collecting personal data. Organizations that do not comply with the regulation need to pay huge fines based on the extent of the data breach.

What is considered personal data as per GDPR?

Identifiable information or data which can be traced back to a specific individual is considered personal data by GDPR. They may include name, address, date of birth, telephone numbers, photographs, location data, bank details, passport numbers, etc. The data which cannot be identified to a person is not covered under the regulation. The regulation further specifies that personal data can only be stored till businesses accomplish the goals for which the personal data was collected. Also, organizations need to get rid of the information stored securely.

In addition to personal data, GDPR has also specified special categories. These special categories carry sensitive data, making a data subject vulnerable during a data breach. Such data may include religion, medical, genetic, and gender identity. Under GDPR, these categories must be given more importance and protected with top-notch information security programs.

Application of GDPR

Businesses conducting their operations involving EU citizens must implement GDPR mandatorily or face penalties for non-compliance. After GDPR, several nations formulated their data privacy regulation laws. Each country has its regulation to protect the personal data of its citizens. These regulations change from one country to another, requiring organizations to comply carefully with the laws.

Even after UK’s exit from the European Union, the Data Protection Laws of the UK resemble that of the EU GDPR. Changes in UK laws concern UK citizens and not citizens of the EU. Likewise, companies residing in the UK need to follow GDPR laws while offering their services to EU citizens.

Key Principles of GDPR

The General Data Protection Regulation sets out 8 core principles that have to be applied by organizations and entities serving the citizens of the European Union. These principles are as follows:

  • Notification
  • Lawfulness
  • Limits
  • Security
  • Accountability
  • Downstream protection
  • Access and Rights
  • Breach Notification

What is the GDPR non-compliance penalty?

Businesses that do not follow the regulation face penalties of massive amounts. These acceptable amounts can range from 4% of global turnover to 20 million Euros, whichever is highest based on the extent of the breach. Further, data subjects also possess the right to sue companies/individuals who have violated their data privacy as per GDPR.

Organizations that have faced data breaches due to external forces must notify the data subjects within 72 hours of such breaches. In addition, businesses need to provide data subjects with a notification stating how the personal data is being used and whether it is accessible by a third party. This entitles data subjects to exercise their rights, withhold their consent, and prevent the organization from using the data for other purposes.

Exceptions of GDPR

A separate article under the regulation specifies the list of organizations that do not comply with EU GDPR. Under this article, the law states circumstances when personal data cannot be protected. Examples of these situations include defense, financial security, crime prevention, public health concerns, etc. Also, EU members are permitted to apply for specific exemptions.


Regardless of geographical location, the GDPR has broad ramifications for all EU individuals and organizations doing business in EU. Businesses who wish to provide products or services to EU citizens must comply with the GDPR’s strict penalties. The extensive articles and chapters of GDPR require organizations to hire professionals certified with EU GDPR Practitioners to instill the compliance process. These professionals execute best practices within the organization to secure sensitive data while aligning them with the regulation. In addition to the practices, GDPR Practitioners can train and create awareness among employees regarding the security of sensitive information acquired by the organization. Besides, entities are further required to comply with different regulations imposed by European Union member states.

Posted in GDPR, IT Governance

Related Articles