No time to go through the lengthy GDPR official text? Want to get a simple but well-rounded understanding of this regulation? Our GDPR summary is exactly what you need.
Consumer data has become more and more valuable for companies, and therefore widely available and used. Strong regulations had to be put in place for safeguarding individuals’ personal data.
Probably the most known and robust one is the General Data Protection Regulation (GDPR), which set the pace for the digital ecosystem in the Europe and the rest of the world – fuelling the emergence of more global privacy regulations.
👀 In this comprehensive GDPR summary, we’ll simplify and explain key points and provisions you should be aware of. We also provide practical resources for your own GDPR compliance.
Short on time? Jump to… ⬇️
GDPR stands for “General Data Protection Regulation”.
🗓️ When was it enacted? The GDPR is a regulation enacted by the European Union that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date.
💬 What is it? At its most basic, the GDPR specifies how personal data should be lawfully processed, collected, used, protected or interacted with in general. It primarily safeguards personal data, promoting transparency and accountability in how companies handle this information.
📍 Where does it apply? The GDPR can apply to you whether your organization is based in the EU or not. More on this in our dedicated section.
💡 Does the GDPR apply to businesses outside of the EU and UK? Do this free 1-min quiz to see if you’re exempt or not.
To understand the GDPR in simple terms, think of it as a framework that declares and enforces rights in, regards to personal data, for the persons who fall under its scope. Its scope includes people who are based in Europe and people targeted by entities based in Europe.
This means that:
Under the GDPR you must have a legitimate reason, or legal basis, to process the personal data of users. You must also respect and honor user rights such as the Right to Access, the Right to Object, the Right to Erasure and more.
Personal data can include but isn’t limited to IP addresses, email addresses, names, location, biometric data and more.
The main provisions of the GDPR focus on protecting individuals’ rights and instituting better data handling practices.
Here are the major takeaways from the regulation:
💡 Want more detail on GDPR provisions? You’ll find what you’re looking for in our full legal guide.
In brief, the GDPR applies when:
*Remember, If you are based in the EU, you must apply GDPR standards to all users (not only to users in the EU)!
Data can only be processed if there’s at least one legal basis for doing so. The legal bases are:
💡 Legal bases chosen by businesses MUST legitimately apply. If they don’t, data protection authorities have stated that harsher penalties could be given.
Data subject rights, a cornerstone of GDPR, provide individuals with control over their personal data.
Here’s a GDPR data subject rights overview:
The right to be informed is the first step toward GDPR compliance.
And it starts with having a strong and easy-to-understand privacy policy accessible at all time from your website.
👉 See a GDPR-compliant privacy policy example here
Under GDPR rules, if you’re using people’s data based on their consent, you must ensure they agree in a way that can be confirmed and non-ambiguous:
✅ Express consent (directly mentioned under the GPDR), also known as explicit or direct consent, occurs when someone explicitly agrees to the collection, use, or sharing of their personal data. In this particular case, the user must take an active action to consent, for example by clicking on “Accept” or “Allow”.
❌ Youcan’t use complicated terms when asking for consent. Your terms and privacy policies must be clear and understandable, making sure users know what they’re agreeing to and what it means for them.
✅ For children, you need to get approval from a parent or guardian, unless the service is a counselling or prevention service. You should use existing technology to check that the person giving consent is indeed the child’s legal guardian.
❌ The GDPR doesn’t allow pre-ticked boxes.
✅ You must be clear about why you’re collecting data and consent must be freely given and obvious. It should be as easy to remove consent as to give it.
It’s legally-required you keep detailed records to show that users have given their consent. If issues occur, you have to prove they agreed.
👉 Your records should contain who gave consent, when and how they did it, what consent form they saw, and the legal documents relevant at the time of consent.
👉 Use a Consent Management Platform for easily keeping records.
Under Article 9, the GDPR recognizes certain categories of personal data as “special” due to their sensitive nature. They are defined in the official text as:
💡 See some examples and learn what you should do as a company in this guide.
Lawmakers made it simple. There are 7 GDPR principles (read more about each here):
Most marketing activities a business has, like signing up via a form and receiving emails/newsletters or displaying ads (with the use of cookies), imply the collect and use of personal data.
In simple terms, the GDPR says that:
💡 Setting up GDPR-compliant forms can be tricky. Take a look at some examples.
Apart from all that has been outlined before, other major internal measures organizations should put in place to be compliant with the GDPR are the following:
👉 Appoint a Data Protection Officer (DPO): The DPO is a person in charge of ensuring that personal data (of employees, customers, etc.) is processed following the applicable data protection rules. In general, this requirement applies when a company processes a significant amount of personal data.
🔎 Follow this guide on choosing your DPO
👉 Perform a Data Protection Impact Assessment (DPIA): Helps to identify and minimize data protection risks. It’s required by the GDPR when the processing can involve significant risks to the rights and freedoms of individuals (e.g. for sensitive personal data, new technologies, or large-scale processing activities).
🔎 Check out this DPIA template
We did our best to break down the information for you in this GDPR summary. We hope you found it easy to follow and understand, and will go through our additional resources in case you need to dive in a specific topic.
We agree to say that GDPR compliance is not entirely straightforward. It requires a lot of thinking and a lot of your time: