Iubenda logo
Start generating

Documentation

Table of Contents

GDPR Summary: Key Points You Need to Know

No time to go through the lengthy GDPR official text? Want to get a simple but well-rounded understanding of this regulation? Our GDPR summary is exactly what you need.

Consumer data has become more and more valuable for companies, and therefore widely available and used. Strong regulations had to be put in place for safeguarding individuals’ personal data.

Probably the most known and robust one is the General Data Protection Regulation (GDPR), which set the pace for the digital ecosystem in the Europe and the rest of the world – fuelling the emergence of more global privacy regulations.

👀 In this comprehensive GDPR summary, we’ll simplify and explain key points and provisions you should be aware of. We also provide practical resources for your own GDPR compliance.

GDPR Summary: The Most Important Points

📌 What Does GDPR Mean?

GDPR stands for “General Data Protection Regulation”.

🗓️ When was it enacted? The GDPR is a regulation enacted by the European Union that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date.

💬 What is it? At its most basic, the GDPR specifies how personal data should be lawfully processed, collected, used, protected or interacted with in general. It primarily safeguards personal data, promoting transparency and accountability in how companies handle this information.

📍 Where does it apply? The GDPR can apply to you whether your organization is based in the EU or not. More on this in our dedicated section.

💡 Does the GDPR apply to businesses outside of the EU and UK? Do this free 1-min quiz to see if you’re exempt or not.

gdpr summary

What is the GDPR in simple terms?

To understand the GDPR in simple terms, think of it as a framework that declares and enforces rights in, regards to personal data, for the persons who fall under its scope. Its scope includes people who are based in Europe and people targeted by entities based in Europe.

This means that:

  • if you target Europe-based users, GDPR rules may apply to you regardless of your location; and
  • if you are based in Europe but target non-Europe-based persons, you may still be bound by GDPR rules.

Under the GDPR you must have a legitimate reason, or legal basis, to process the personal data of users. You must also respect and honor user rights such as the Right to Access, the Right to Object, the Right to Erasure and more.

Personal data can include but isn’t limited to IP addresses, email addresses, names, location, biometric data and more.

📌 What Is a Summary of GDPR Provisions?

The main provisions of the GDPR focus on protecting individuals’ rights and instituting better data handling practices.

Here are the major takeaways from the regulation:

  1. Definition of personal data: It is defined as pieces of information that, when collected together, can lead to the identification of a person. Typically: names; health, genetic and biometric data; web data such as IP addresses; personal email addresses; political opinions.
  2. Disclosure requirements: This is typically done via a privacy policy. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
  3. Consent: If as an organization you process personal data, the GDPR requires you to have a valid reason to do so (called legal basis). If consent is your legal basis, before collecting any personal data, you will have to obtain explicit (clear and affirmative) user consent and keep records of this consent.
  4. Organizational measures: You must honor user rights and requests, as well as implement organizational measures (assessments, appointing a person responsible for privacy) and keep the data safe when stored.

💡 Want more detail on GDPR provisions? You’ll find what you’re looking for in our full legal guide.

📌 When Does the GDPR Apply?

In brief, the GDPR applies when:

  • an entity’s base of operations is in Europe (this applies whether the processing takes place in Europe or not);
  • an entity not established in Europe offers goods or services to people in Europe; or where
  • an entity is not established in Europe, but it monitors the behavior of people who are in Europe.

*Remember, If you are based in the EU, you must apply GDPR standards to all users (not only to users in the EU)!

👋 Not sure if the GDPR applies to you?

👉 Take this free 1-min quiz now to find out

Data can only be processed if there’s at least one legal basis for doing so. The legal bases are:

  • The user has given consent for one or more specific purposes (often the safest bet and the legal basis that many businesses choose).
  • The data processing is necessary for the performance of a contract or in order to take steps prior to entering the contract.
  • The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
  • The processing is necessary for protecting the vital interests of the user or of another person.
  • The processing is necessary for performing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
  • The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

💡 Legal bases chosen by businesses MUST legitimately apply. If they don’t, data protection authorities have stated that harsher penalties could be given.

📌 What are the GDPR Data Subject Rights?

Data subject rights, a cornerstone of GDPR, provide individuals with control over their personal data.
Here’s a GDPR data subject rights overview:

  • Right to Be Informed
  • Right of Access
  • Right to Rectification
  • Right to Erasure
  • Right to Restrict Processing
  • Right to Data Portability
  • Right to Object
  • Rights on Automated Decision-Making and Profiling

The right to be informed is the first step toward GDPR compliance.
And it starts with having a strong and easy-to-understand privacy policy accessible at all time from your website.
👉 See a GDPR-compliant privacy policy example here

Under GDPR rules, if you’re using people’s data based on their consent, you must ensure they agree in a way that can be confirmed and non-ambiguous:

Express consent (directly mentioned under the GPDR), also known as explicit or direct consent, occurs when someone explicitly agrees to the collection, use, or sharing of their personal data. In this particular case, the user must take an active action to consent, for example by clicking on “Accept or “Allow”.

Youcan’t use complicated terms when asking for consent. Your terms and privacy policies must be clear and understandable, making sure users know what they’re agreeing to and what it means for them.

✅ For children, you need to get approval from a parent or guardian, unless the service is a counselling or prevention service. You should use existing technology to check that the person giving consent is indeed the child’s legal guardian.

❌ The GDPR doesn’t allow pre-ticked boxes.

✅ You must be clear about why you’re collecting data and consent must be freely given and obvious. It should be as easy to remove consent as to give it.

🚨 Records of Consent

It’s legally-required you keep detailed records to show that users have given their consent. If issues occur, you have to prove they agreed.
👉 Your records should contain who gave consent, when and how they did it, what consent form they saw, and the legal documents relevant at the time of consent.
👉 Use a Consent Management Platform for easily keeping records.

📌 Article 9 GDPR Summary: Special Categories of Personal Data

Under Article 9, the GDPR recognizes certain categories of personal data as “special” due to their sensitive nature. They are defined in the official text as:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (i.e. fingerprints, face recognition, DNA, etc.);
  • data concerning health;
  • data concerning a natural person’s sex life or sexual orientation.

💡 See some examples and learn what you should do as a company in this guide.

what does gdpr mean

📌 GDPR Summary: 7 Principles

Lawmakers made it simple. There are 7 GDPR principles (read more about each here):

  1. Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.
  2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes.
  3. Data Minimization: You must collect the minimum data possible, only what’s necessary for your purpose.
  4. Accuracy: Personal data must be accurate and up-to-date.
  5. Storage Limitation: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Integrity and Confidentiality: Process and keep the data with appropriate security measures.
  7. Accountability: Keep a “full and extensive” documentation of all your activities.

The GDPR In Practice: Tips and Tools For Businesses

📌 The Case of Marketing and the GDPR

Most marketing activities a business has, like signing up via a form and receiving emails/newsletters or displaying ads (with the use of cookies), imply the collect and use of personal data.

In simple terms, the GDPR says that:

  • Leads, customers and partners need to explicitly confirm that they want to be contacted. They must give their consent. For example, pre-ticked checkboxes or any other type of consent by default are not allowed.
  • Customers should have a specific right to withdraw consent; it must, therefore, be as easy to withdraw consent as it is to give it. A straightforward example of this would be the unsubscribe link of an email.
  • You need to be able to prove that you’ve collected consents lawfully, in a way that’s GDPR-compliant.

💡 Setting up GDPR-compliant forms can be tricky. Take a look at some examples.

📌 Measures to Take as an Organization

Apart from all that has been outlined before, other major internal measures organizations should put in place to be compliant with the GDPR are the following:

👉 Appoint a Data Protection Officer (DPO): The DPO is a person in charge of ensuring that personal data (of employees, customers, etc.) is processed following the applicable data protection rules. In general, this requirement applies when a company processes a significant amount of personal data.
🔎 Follow this guide on choosing your DPO

👉 Perform a Data Protection Impact Assessment (DPIA): Helps to identify and minimize data protection risks. It’s required by the GDPR when the processing can involve significant risks to the rights and freedoms of individuals (e.g. for sensitive personal data, new technologies, or large-scale processing activities).
🔎 Check out this DPIA template

🇺🇸👋 US businesses? Over here!

👉 Make sure to comply with US State Privacy Laws

📌 Tackle Your GDPR Compliance Now

We did our best to break down the information for you in this GDPR summary. We hope you found it easy to follow and understand, and will go through our additional resources in case you need to dive in a specific topic.

We agree to say that GDPR compliance is not entirely straightforward. It requires a lot of thinking and a lot of your time:

  1. It’s tricky both from a legal and technical standpoint to implement the measures listed above. 🚀 Luckily, there are privacy management software that can greatly help. Check out our compliance solution, iubenda.
  2. You might also feel like there’s a lot of things to do. 🚀 For this, we’ve reduced the information to a 15-point GDPR compliance checklist.
  3. Still a bit lost? ⬇️
👋
Find out your website’s compliance rate.

👉 Scan your site now