A Short Guide to the EU General Data Protection Regulation

6. January 2023

The EU General Data Protection Regulation (GDPR) is without doubt one of, if not the most stringent, most comprehensive data privacy laws in the world. Its arrival marked the most significant shake-up of data protection laws in decades and is considered to be the benchmark for privacy laws. Here’s a quick guide to the GDPR.

Does the GDPR only apply to EU-based organizations?

The GDPR was developed to protect the personal data of EU citizens and residents. So, it’s a common misconception that it only applies to organizations based in the European Union. That isn’t the case at all, however. That means it applies to any organization that processes the personal data of EU citizens, wherever in the world that organization is based. That means numerous non-European companies fall under the scope of GDPR and need to comply with it.

Who supervises the GDPR?

Every EU member state has an independent data protection authority that provides guidance and handles complaints. The European Data Protection Board ensures consistent application of the GDPR and promotes cooperation among the data protection authorities. Even so, individual EU countries are authorized to implement separate supplemental rules regarding the GDPR.

Are there any penalties for non-compliance?

Since its inception in May 2018, data privacy compliance has become a priority on corporate agendas. And no wonder. Any breach can potentially result in significant fines of up to €20M or 4% of annual global turnover for ‘severe violations’. ‘Less severe violations’ can cost an organization up to €10M or 2% of annual global revenues.

Are companies actually being fined?

By the end of October 2022, EU data protection authorities had imposed fines amounting to more than a staggering 2 billion euros for breaches of the GDPR. For example, the Data Protection Authority of Niedersachsen, Germany, fined the country’s largest car manufacturer over a million euros for the “insufficient fulfillment of information obligations”.

The first years of GDPR were marked by burdensome constraints and terrible user experiences. However, the legislation marks the first time a political system has enforced its fundamental values well beyond its own tech ecosystem, driving user trust and adoption – adherence is already becoming a global competitive advantage.

Clark Parsons, Managing Director, Internet Economy Foundation Partner, iconomy


The 7 principles of GDPR

GDPR is extensive, complex, and (it’s fair to say) overwhelming. According to the Information Commissioner’s Office, the framework was based upon seven principles.

  1. Lawfulness, fairness, and transparency

Obtain the data on a lawful basis, fully inform the individual, and keep your promises.

  1. Purpose limitation

Be specific and inform your clients about the purpose of the data collection. 

  1. Data minimization

Only collect the minimum amount of data required for the intended purposes. 

  1. Accuracy

Personal data must be accurate and where necessary kept up to date. 

  1. Storage limitations

Data must be kept in a form that allows data subjects to be identified for the minimum length of time possible. 

  1. Integrity and confidentiality

Protect data against unlawful processing or accidental loss, destruction, or damage.  

  1. Accountability

Record and prove compliance and be able to show the documents that prove this.

In the last few years, companies have realized it is fundamental to protect privacy. So they are learning about the GDPR and implementing measures to ensure they are compliant. There are already companies working on privacy-enhancing technologies that both enable innovation and ensure GDPR compliance.

Marian Gläser, CEO/Co-Founder, brighter AI


GDPR Glossary

Processors & Controllers: The legal person, public authority, agency, or other body which, alone or jointly with others, decides who and what personal data will be processed.

Personal Data: “all information relating to an identified or identifiable person (known as the data subject).

Processing: any operation performed on personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.

Data Minimization: personal data shall be limited to what is necessary in relation to the purposes for which they are processed.

Consent Requirement: The consent of the data subject is the most common basis for lawful processing. This consent needs to be “freely given, specific, informed and unambiguous”.

Privacy by Default & by Design: ‘By default’ means that the strictest privacy settings should be the standard. ‘By design’ describes the state-of-the-art technical and organizational measures that need to be in place to safeguard data protection.

Third-Country Adequacy: when transferring personal data to non-EU/EEA jurisdictions, the third country ensures an adequate level of protection close to GDPR safeguards.

Understand the big picture

All this gives you a basic idea of the GDPR, but in reality, it’s a huge and complex framework consisting of hundreds of pages. Understanding its relevance and staying on top of the basic requirements is a key priority for any organization that gathers data on EU citizens. But that doesn’t have to be an endless administrative nightmare. There’s a new generation of innovative technologies out there, specifically developed to keep you compliant quickly and efficiently and avoid the risk of breaches, fines, and reputational damage.

If you’d like to learn more about the GDPR and data protection regulations around the world, check out this whitepaper for more information.

Caspar Miller
Head of Regulatory