No time to go through the lengthy GDPR official text? Want to get a simple but well-rounded understanding of this regulation? Our GDPR summary is exactly what you need.
Consumer data has become more and more valuable for companies, and therefore widely available and used. Strong regulations had to be put in place for safeguarding individuals’ personal data.
Probably the most known and robust one is the General Data Protection Regulation (GDPR), which set the pace for the digital ecosystem in the Europe and the rest of the world – fuelling the emergence of more global privacy regulations.
👀 In this comprehensive GDPR summary, we’ll simplify and explain key points and provisions you should be aware of. We also provide practical resources for your own GDPR compliance.
GDPR stands for “General Data Protection Regulation”.
🗓️ When was it enacted? The GDPR is a regulation enacted by the European Union that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date.
💬 What is it? At its most basic, the GDPR specifies how personal data should be lawfully processed, collected, used, protected or interacted with in general. It primarily safeguards personal data, promoting transparency and accountability in how companies handle this information.
📍 Where does it apply? The GDPR can apply to you whether your organization is based in the EU or not. More on this in our dedicated section.
To understand the GDPR in simple terms, think of it as a framework that declares and enforces rights in, regards to personal data, for the persons who fall under its scope. Its scope includes people who are based in Europe and people targeted by entities based in Europe.
GDPR in a Nutshell:
if you target Europe-based users, GDPR rules may apply to you regardless of your location; and
if you are based in Europe but target non-Europe-based persons, you may still be bound by GDPR rules.
Under the GDPR you must have a legitimate reason, or legal basis, to process the personal data of users. You must also respect and honor user rights such as the Right to Access, the Right to Object, the Right to Erasure and more.
Personal data can include but isn’t limited to IP addresses, email addresses, names, location, biometric data and more.
What are the requirements of GDPR in a nutshell?
The main requirements of GDPR include:
Lawful, Fair, and Transparent Processing: Data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. This means organizations must have a valid legal basis (e.g., consent, contractual necessity, compliance with a legal obligation, vital interests, public task, or legitimate interests) for processing personal data and must clearly inform data subjects about how their data is being used.
Purpose Limitation: Personal data collected must be for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimization: Organizations should only process personal data that is necessary for the purposes for which it is processed. This means limiting the collection of personal data to what is directly relevant and necessary to accomplish a specified purpose.
Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, considering the purposes for which it is processed, is erased or rectified without delay.
Storage Limitation: Personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with Article 89(1), subject to implementation of the appropriate technical and organizational measures required by the GDPR.
Integrity and Confidentiality (Security): Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Accountability: The data controller is responsible for, and must be able to demonstrate, compliance with the other GDPR principles. This includes implementing effective data protection policies, taking a proactive approach to data protection, and maintaining relevant documentation on processing activities.
Data Subject Rights: GDPR provides data subjects with various rights, including the right to access their personal data, the right to have inaccurate data corrected, the right to have their data erased (the “right to be forgotten”), the right to restrict processing, the right to data portability, and the right to object to processing.
Consent: When processing is based on consent, the organization must be able to demonstrate that the data subject has consented to processing of their personal data. Consent must be freely given, specific, informed, and unambiguous, with a clear affirmative action by the data subject.
Data Protection Impact Assessments (DPIAs): Organizations must conduct DPIAs where data processing is likely to result in high risk to the rights and freedoms of individuals, particularly for new projects or technologies.
Data Protection Officers (DPOs): Organizations that engage in large-scale processing of personal data, or that process certain types of sensitive data, are required to appoint a Data Protection Officer (DPO) to oversee compliance with GDPR.
Cross-Border Data Transfers: Transfers of personal data outside the EU and EEA are subject to strict conditions. Organizations must ensure that the same level of data protection is afforded to the data when it is transferred internationally.
Breach Notification: GDPR requires organizations to notify the relevant supervisory authority of a personal data breach without undue delay (and where feasible, within 72 hours) after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
📌 What Is a Summary of GDPR Provisions?
The main provisions of the GDPR focus on protecting individuals’ rights and instituting better data handling practices.
Here are the major takeaways from the regulation:
Definition of personal data: It is defined as pieces of information that, when collected together, can lead to the identification of a person. Typically: names; health, genetic and biometric data; web data such as IP addresses; personal email addresses; political opinions.
Disclosure requirements: This is typically done via a privacy policy. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
Consent: If as an organization you process personal data, the GDPR requires you to have a valid reason to do so (called legal basis). If consent is your legal basis, before collecting any personal data, you will have to obtain explicit (clear and affirmative) user consent and keep records of this consent.
Organizational measures: You must honor user rights and requests, as well as implement organizational measures (assessments, appointing a person responsible for privacy) and keep the data safe when stored.
💡 Want more detail on GDPR provisions? You’ll find what you’re looking for in our full legal guide.
📌 When Does the GDPR Apply?
In brief, the GDPR applies when:
an entity’s base of operations is in Europe (this applies whether the processing takes place in Europe or not);
an entity not established in Europe offers goods or services to people in Europe; or where
an entity is not established in Europe, but it monitors the behavior of people who are in Europe.
*Remember, If you are based in the EU, you must apply GDPR standards to all users (not only to users in the EU)!
Data can only be processed if there’s at least one legal basis for doing so. The legal bases are:
The user has given consent for one or more specific purposes (often the safest bet and the legal basis that many businesses choose).
The data processing is necessary for the performance of a contract or in order to take steps prior to entering the contract.
The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
The processing is necessary for protecting the vital interests of the user or of another person.
The processing is necessary for performing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.
💡 Legal bases chosen by businesses MUST legitimately apply. If they don’t, data protection authorities have stated that harsher penalties could be given.
📌 What are the GDPR Data Subject Rights?
Data subject rights, a cornerstone of GDPR, provide individuals with control over their personal data. Here’s a GDPR data subject rights overview:
Right to Be Informed
Right of Access
Right to Rectification
Right to Erasure
Right to Restrict Processing
Right to Data Portability
Right to Object
Rights on Automated Decision-Making and Profiling
The right to be informed is the first step toward GDPR compliance. And it starts with having a strong and easy-to-understand privacy policy accessible at all time from your website. 👉 See a GDPR-compliant privacy policy example here
📌 Rules for GDPR Consent
GDPR Summary of Requirements: Under GDPR rules, if you’re using people’s data based on their consent, you must ensure they agree in a way that can be confirmed and non-ambiguous:
❌ Youcan’t use complicated terms when asking for consent. Your terms and privacy policies must be clear and understandable, making sure users know what they’re agreeing to and what it means for them.
✅ For children, you need to get approval from a parent or guardian, unless the service is a counselling or prevention service. You should use existing technology to check that the person giving consent is indeed the child’s legal guardian.
❌ The GDPR doesn’t allow pre-ticked boxes.
✅ You must be clear about why you’re collecting data and consent must be freely given and obvious. It should be as easy to remove consent as to give it.
🚨 Records of Consent
It’s legally-required you keep detailed records to show that users have given their consent. If issues occur, you have to prove they agreed. 👉 Your records should contain who gave consent, when and how they did it, what consent form they saw, and the legal documents relevant at the time of consent. 👉 Use a Consent Management Platform for easily keeping records.
📌 Article 9 GDPR Summary: Special Categories of Personal Data
Under Article 9, the GDPR recognizes certain categories of personal data as “special” due to their sensitive nature. They are defined in the official text as:
racial or ethnic origin;
political opinions;
religious or philosophical beliefs;
trade union membership;
genetic data;
biometric data (i.e. fingerprints, face recognition, DNA, etc.);
data concerning health;
data concerning a natural person’s sex life or sexual orientation.
💡 See some examples and learn what you should do as a company in this guide.
📌 Key Highlights of GDPR: 7 Principles
Lawmakers made it simple. There are 7 GDPR principles (read more about each here):
Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes.
Data Minimization: You must collect the minimum data possible, only what’s necessary for your purpose.
Accuracy: Personal data must be accurate and up-to-date.
Storage Limitation: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality: Process and keep the data with appropriate security measures.
Accountability: Keep a “full and extensive” documentation of all your activities.
Penalties for Noncompliance
The General Data Protection Regulation (GDPR) has set a precedent for stringent data protection standards, emphasizing the critical nature of compliance. Organizations found in violation of GDPR face significant penalties, which serve as a deterrent against lax data protection practices and underscore the gravity of data privacy in the digital age.
Scale of Penalties
Penalties for noncompliance can be substantial, serving as a wake-up call for organizations to prioritize data protection. Fines can reach up to €20 million or 4% of the annual global turnover of the preceding financial year, whichever is higher.
Criteria for Determining Fines
The determination of fines is not arbitrary but is based on several factors, including the nature, gravity, and duration of the infringement. Considerations include:
Nature and Severity: The impact of the violation on data subjects’ rights and privacy.
Intentional or Negligent Violation: Whether the breach was deliberate or resulted from negligence.
Mitigating Actions: Efforts made by the organization to mitigate damage to data subjects.
Previous Infringements: Prior violations by the organization.
Cooperation with Supervisory Authorities: The degree of cooperation with the regulatory body to remedy the violation and mitigate its effects.
The GDPR In Practice: Tips and Tools For Businesses
📌 The Case of Marketing and the GDPR
Most marketing activities a business has, like signing up via a form and receiving emails/newsletters or displaying ads (with the use of cookies), imply the collect and use of personal data.
In simple terms, the GDPR says that:
Leads, customers and partners need to explicitly confirm that they want to be contacted. They must give their consent. For example, pre-ticked checkboxes or any other type of consent by default are not allowed.
Customers should have a specific right to withdraw consent; it must, therefore, be as easy to withdraw consent as it is to give it. A straightforward example of this would be the unsubscribe link of an email.
You need to be able to prove that you’ve collected consents lawfully, in a way that’s GDPR-compliant.
Apart from all that has been outlined before, other major internal measures organizations should put in place to be compliant with the GDPR are the following:
👉 Appoint a Data Protection Officer (DPO): The DPO is a person in charge of ensuring that personal data (of employees, customers, etc.) is processed following the applicable data protection rules. In general, this requirement applies when a company processes a significant amount of personal data. 🔎 Follow this guide on choosing your DPO
👉 Perform a Data Protection Impact Assessment (DPIA): Helps to identify and minimize data protection risks. It’s required by the GDPR when the processing can involve significant risks to the rights and freedoms of individuals (e.g. for sensitive personal data, new technologies, or large-scale processing activities). 🔎 Check out this DPIA template
We did our best to break down the information for you in this GDPR summary. We hope you found it easy to follow and understand, and will go through our additional resources in case you need to dive in a specific topic.
We agree to say that GDPR compliance is not entirely straightforward. It requires a lot of thinking and a lot of your time:
It’s tricky both from a legal and technical standpoint to implement the measures listed above. 🚀 Luckily, there are privacy management software that can greatly help. Check out our compliance solution, iubenda.
You might also feel like there’s a lot of things to do. 🚀 For this, we’ve reduced the information to a 15-point GDPR compliance checklist.
