What is the GDPR and how will it affect me?

Posted on 7 July 2017

The GDPR provides EU residents with control over their personal data through a set of “data subject rights.” This includes the right to:

  • Access readily-available information in plain language about how personal data is used
  • Access personal data
  • Have incorrect personal data deleted or corrected
  • Have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”)
  • Restrict or object to processing of personal data
  • Receive a copy of personal data
  • Object to processing of data for specific uses, such as marketing or profiling

Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain requirements of the GDPR. Additional individual remedies could increase your risk if you fail to adhere to the GDPR requirements.

What is personal data?

Personal data is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Personal data can include:

  • Name
  • Email address
  • Social media posts
  • Physical, physiological, or genetic information
  • Medical information
  • Location
  • Bank details
  • IP address
  • Cookies
  • Cultural identity

The GDPR applies to both data controllers and processors. A data controller is in charge of the data; a data processor processes the data for the controller. Controllers must only use processors that take measures to meet the requirements of the GDPR. A controller determines why and how to process personal data, while the processor performs operations on personal data on behalf of the controller.

Data processors

Under the GDPR, processors face additional duties and liability for noncompliance, or acting outside of instructions provided by the controller. Compliant processor duties include:

  • Processing data only as instructed
  • Using appropriate technical and organizational measures to process personal data
  • Deleting or returning data to the controller
  • Securing permission to engage other processors

Data breaches

The GDPR will change data protection requirements and employ stricter obligations for data processors and data controllers regarding notice of personal data breaches that result in a risk to individual rights and freedoms.

Under the new regulation, the data processor must notify the data controller of any such personal data breach after having become aware of it without undue delay. Once aware of a breach, the data controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay.

To learn more visit the EU’s GDPR page.

This article was taken from our White paper – The EU General Data Protection Regulation (GDPR) –

What is it and why does it affect my organisation? To request a copy, click here.

A few people we've already done it for