GDPR: General Data Protection Regulation


What happens if you don’t comply

We have assembled this post to define what GDPR is, what it entails for businesses, and how they can comply with the new legislation. After reading this website, you will understand how it relates to your business, learn which of your company’s data are considered personal information under the new regulation, and know of the necessary steps you need to take for compliance.  helps to answer some of the questions that may arise during this process.

GDPR Fine Tracker - Updated List of Enforcement Actions | CoreView

1. What GDPR is

In the past few years, there has been a growing concern regarding data privacy within the European Union which was manifested by a European Commission resolution in November 2011 to promote awareness regarding handling of personal data and to create a legal framework for processing of such data. In 2012, this resolution was finalized and known as Digital Privacy Regulation or also referred to as GDPR. The law is being enforced from 25 May 2018 and applies to all EU member states, including the member states that have not yet adopted a Data Protection Regulation (UK, Ireland).

GDPR replaces the Directive on Data Protection. The new law applies to all organisations that handle personal data, regardless of the company’s size. This includes both private and public entities, as well as any organisation that has a presence in the EU. It is a binding regulation for all businesses and regulates all types of data processing (including by email, text messages or phone calls). The GDPR applies to organisations whether they are based in the EU or not.

2. What is personal information?

Personal information is any information relating to an identified or identifiable natural person (a person who can be identified directly or indirectly by reference to an identifier such as their name, email address or telephone number). It can include:

Personal information includes information such as the following:

Personal data may also be defined by other terms such as “publicly available” or “not currently held”. The Rule defines the collection and processing of personal data. It requires that entities must collect personal data in a fair, transparent and lawful manner and with appropriate consents. It also defines what is perceived to be a lawful basis of processing and provides some guidance on how this is applied in practice; we discuss these below.

Remember – what you think is fair may not be lawful, and vice versa! Exact compliance with the definition of ‘personal data’ will likely depend on industry or context (some may consider more public information to be personal).

3. What personal information can be processed?

A lawful basis for processing personal data must exist in order to comply with the GDPR. The following are considered lawful bases for processing:

GDPR provides that individuals should have the right to request erasure of their personal information if no relevant reason exists, if erasure has been made impossible, or if it has been unlawfully processed. Individuals will also have the right to object to processing of their data. The role of rights holders is strengthened by this regulation, and it provides individuals with more control over their data in terms of allowing them to give consent in less clear-cut situations.

4. Data controllers

Data controllers are companies that collect and process personal information in the course of providing their products or services to individuals or other data subjects. Other organisations such as banks, insurance companies, and telecoms will also be considered data controllers. 

Two key terms in the definition of a data controller: “the controller” and “the processor”. The latter is defined as either the controller or an organisation that processes personal information on behalf of another (an “intermediary”), and can include third parties such as social media platforms such as Facebook.

5. Data processors

Data processors are organisations that process personal data on behalf of data controllers. They are often subcontractors of the data controller, catering to companies who have a large amount of data to process for its clients. The GDPR requires that any individual upon whom personal information is being processed by a data processor ensures that the processor complies with the standards outlined above.

6. Data protection impact assessment (DPIA)

If an organisation purchases goods or services from another entity, either directly or through another company, it must conduct a DPIA before processing any personal information under the GDPR. The reason for this is that not all data processing is considered “lawful” and thus requires permission from an individual. Some data processing such as the normal process of mailing a newsletter, updating a list or online shopping involves personal information, and thus will require an individual’s consent before it can be processed. Another example of data processing which will not require consent would be sharing of financial information between two companies to determine an individual’s creditworthiness.

7. Data protection officers (DPOs)

The GDPR has clarified that companies need to have a dedicated person that is responsible for the protection of personal data when it is being processed in the course of providing goods or services to individuals or other organisations.


Please enter your comment!
Please enter your name here