What is the General Data Protection Regulation (GDPR)?​

The General Data Protection Regulation (GDPR) is a landmark legislation that has reshaped the way personal data is handled across many sectors. Widely regarded as the most stringent data protection law in the world, it aims to protect the personal data of individuals across the EU.

What is the GDPR?

The General Data Protection Regulation (also known as the GDPR) is a European Union Law aimed at ensuring that personal data of individuals in the EU and the European Economic Area (EEA) is handled by companies under a lawful base while ensuring its security, privacy, and confidentiality.

Before the GDPR, the EU operated under the Data Protection Directive of 1995, which was enacted at a time when the digital landscape was vastly different. The advent of social media, cloud computing, and data analytics meant that this older legislation was no longer adequate. 

GDPR was introduced to address these technological advancements and to provide a harmonized data protection law that could be applicable across all EU member states.

Key concepts

What is personal data?

Under GDPR, personal data is any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, and even online identifiers like IP addresses.

When do I process personal data?

Cookies collect and process personal data of your website’s visitors. Every time a person visits your company website, cookies are stored; cookies are accessed; cookies are changed in the browser of the visitor. These data typically comprise of language settings, screen size, items in the basket, but can also comprise of information about the user’s IP-address, choice of browser, and online behavior. Marketing cookies track the users across the website and internet with the purpose of creating online profiles for direct marketing.

What is a Data Controller and a Data Processor?

What are the 7 key principles of the GDPR?

Lawfulness, Fairness, and Transparency

This principle mandates that personal data must be processed lawfully, fairly, and in a transparent manner. In essence, you must have a legitimate reason for processing the data and must do so in a way that doesn’t deceive or harm the data subject.
Organizations must clearly inform data subjects about how and why their data is being processed. This is often done through a privacy policy that is easily accessible and written in clear language.

Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Organizations must be clear about why they are collecting data and should not use the data for anything other than that stated purpose. Any new use of the data must be compatible with the original purpose for which it was collected.

Data Minimization

Only the data that is necessary for the specific purpose should be processed.
Organizations should only collect the minimum amount of data needed to fulfill their stated purpose. This reduces the risk associated with data breaches and ensures compliance with the GDPR.

Accuracy

Data must be accurate and, where necessary, kept up to date.
Organizations must take steps to ensure the data they hold is accurate and up-to-date. This often involves providing mechanisms for data subjects to update their information.

Storage Limitation

Data should not be stored for longer than is necessary for its intended purpose.
Organizations must have a data retention policy that outlines how long data will be stored and the criteria used to determine that time period.

Integrity and Confidentiality

Data must be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Organizations must implement security measures such as encryption, access controls, and regular security audits to ensure the integrity and confidentiality of data.

Accountability

The data controller is responsible for and must be able to demonstrate compliance with the GDPR.
Organizations must keep records of their data processing activities and implement measures to ensure compliance with the GDPR. This often involves conducting Data Protection Impact Assessments (DPIAs) and appointing a Data Protection Officer (DPO).

Who does the GDPR apply to?

The GDPR applies to all organizations and public authorities, regardless of their location, that process the personal data of individuals residing in the EU. This includes not only EU-based businesses but also any business that offers goods or services to or monitors the behavior of, EU residents. 

It applies to both data controllers, who determine the purposes and means of processing personal data, and data processors, who process data on behalf of data controllers.

Rules for obtaining consent and data processing 

Under the GDPR, organizations must obtain clear and affirmative consent from individuals before processing their personal data.

This means that silence, pre-checked boxes, or inactivity does not constitute consent; instead, individuals must explicitly opt-in to have their data processed. The request for consent must be given in an intelligible and easily accessible form, with the purpose of data processing attached to that consent.

Moreover, individuals have the right to withdraw their consent at any time, and it must be as easy to withdraw consent as it is to give it. When it comes to processing data, organizations must adhere to the principles of data minimization, accuracy, storage limitation, and integrity and confidentiality.

Data transfers to countries outside the EU are also subject to strict rules. Transfers can only be made to countries that provide an adequate level of data protection or under specific conditions like Standard Contractual Clauses or Binding Corporate Rules.

Fines for non-compliance

Non-compliance can result in severe financial penalties. Organizations can be fined up to €20 million or 4% of their annual global turnover, whichever is higher (Article 83, GDPR).

What does the GDPR cover?

The GDPR covers the processing of personal data, which is any information relating to an identified or identifiable natural person. This includes name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. 

It also covers the processing of sensitive personal data, which includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, data concerning a person’s sex life or sexual orientation, and criminal convictions or offenses.

The GDPR and the use of cookies

Under the GDPR, cookies that can identify an individual via their device are considered personal data. Therefore, the use of such cookies requires the user’s explicit consent. This means that websites must inform users about the cookies they use and their purpose, and obtain their active and explicit consent before setting any non-essential cookies.

Cookies are a widely used tool on a website to store data on a specific user, in which a service can access this data and then create a profile of the individual to target ads and customized content. 

As the data controller, you are also responsible for the data collected by third parties on your website, such as first and third-party cookies which process visitors’ personal data (Google, Facebook, YouTube, Addthis, Doubleclick). 

Example

Your company website uses Google Analytics to explore website traffic. Google deploys a number of cookies (first-party) in your visitor’s web browser every time the user visits your site. These cookies collect and process personal information about the visitor which may identify the visitor directly or indirectly. The data collected by Google Analytics is used for online profiling and direct marketing, and this requires explicit user consent.

How should you inform consumers about the use of cookies?

Under the GDPR, organizations must inform individuals about their practices of collecting, using, and disclosing personal information. This includes the use of cookies to collect personal information. 

Organizations typically do this through a privacy policy that is readily available and easy to understand. The policy should explain what information the cookies collect, why the organization collects it, how the organization uses it, and who the organization shares it with.

Opting out and accessing personal information

The GDPR gives individuals the right to access their personal data, to object to the processing of their data, and to obtain correction, deletion, or restriction of their data under certain circumstances. This includes personal information collected through cookies. Organizations must provide mechanisms for individuals to exercise these rights.

How to make your website GDPR-compliant?

Making a website GDPR-compliant involves several steps: 

Our consent management platform helps you ensure compliance with global privacy laws, including GDPR. Start with a free 30-day trial and become GDPR-compliant today!

cookie information rewievs