Skip to content

What are the two main aims of GDPR?


What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that aims to enhance the protection of individuals' personal data within the European Union (EU). It was implemented on May 25, 2018, and applies to all organizations that process the personal data of EU residents, regardless of where the organization is located. The GDPR has two main aims: to give individuals control over their personal data and to harmonize data protection laws across the EU member states. These aims are achieved through key principles such as transparency, lawfulness, and fairness in data processing, as well as the establishment of clear rights for individuals and obligations for organizations. By strengthening individuals' data protection rights, the GDPR seeks to address concerns regarding privacy and data security in an increasingly data-driven world.

Overview of two main aims of GDPR

The General Data Protection Regulation (GDPR) has two main aims: enhancing protection principles and increasing control for individuals.

Firstly, GDPR aims to enhance protection principles by imposing stricter regulations on the processing of personal data. It sets out clear guidelines on how personal data should be collected, stored, and used. Organizations are required to implement organizational measures to ensure the security and confidentiality of personal data. They must also have a legal basis for processing personal data and cannot engage in unlawful processing. With these measures, GDPR aims to provide individuals with greater protection of their personal data, reducing the risk of unauthorized access or misuse.

Secondly, GDPR aims to increase control for individuals by empowering them with certain rights and control over their personal data. Individuals have the right to be informed about the processing activities involving their data through privacy notices and policies. They have the right to access their personal data and request its rectification or erasure. GDPR also grants individuals the right to restrict or object to the processing of their data and the right to data portability. Furthermore, organizations are obliged to notify individuals and relevant authorities in the event of a personal data breach.

Enhancing the protection principles

GDPR enhances the protection principles by imposing stricter regulations on the processing of personal data. These principles are crucial in ensuring solid data protection procedures and compliance with the GDPR.

The first principle is the requirement for organizations to implement organizational measures to ensure the security and confidentiality of personal data. This involves implementing technical and organizational measures to prevent unauthorized access, loss, or alteration of personal data. By mandating these measures, GDPR aims to enhance the protection of personal data, reducing the risk of unauthorized access or misuse.

The second principle is the legal basis for processing personal data. Organizations must have a lawful basis for processing personal data, and they cannot engage in unlawful processing. This principle ensures that organizations have legitimate purposes for processing personal data and prevents the misuse of personal data without proper justification.

Failure to comply with these protection principles can result in significant penalties. Non-compliance with GDPR can lead to fines of up to €20 million or 4% of the company's worldwide turnover, whichever is higher. These penalties emphasize the importance of adhering to the protection principles and implementing solid data protection procedures to ensure compliance with GDPR.

Increasing control for individuals

GDPR aims to increase control for individuals by providing them with certain rights and measures. One of the key rights under GDPR is the right to access their personal data held by organizations. Individuals have the right to obtain confirmation of whether or not their personal data is being processed and, if so, they can request access to that data. This allows individuals to have a clear understanding of what information organizations hold about them.

Another important right is the right to rectify any incorrect or incomplete personal data. Individuals have the power to request that organizations correct any inaccuracies in their personal data. This ensures that individuals have accurate and up-to-date information about themselves.

Furthermore, GDPR grants individuals the right to request the deletion of their personal data, also known as the right to be forgotten. If individuals no longer want their data to be processed, they can request its deletion, and organizations must comply, unless there are legal or legitimate reasons to keep the data.

In addition to these rights, individuals also have the right to restrict processing of their personal data, meaning they can limit how their data is used. They can also object to processing, such as direct marketing, and organizations must respect this objection. Moreover, under GDPR, individuals have the right to data portability, allowing them to obtain and reuse their personal data across different services.

Ensuring fairness and transparency in processing activities

Ensuring fairness and transparency in processing activities is one of the main aims of the General Data Protection Regulation (GDPR). The GDPR seeks to protect the rights and privacy of individuals by establishing clear principles and requirements for the lawful processing of personal data.

Lawfulness, fairness, and transparency are core principles that organizations must adhere to when processing personal data. Lawfulness means that there must be a legitimate basis for processing personal data, such as the consent of the data subject or the necessity of processing for the performance of a contract. Fairness requires that the processing is conducted in a way that is fair to the individuals whose data is being processed. Transparency involves providing clear and accessible information to individuals about how their data is collected, used, and shared.

GDPR sets out several legal bases that organizations can rely on to process personal data. These include the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, performance of a task carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by the data controller or a third party. Organizations must choose the appropriate legal basis for processing and ensure that it aligns with the principles of lawfulness, fairness, and transparency.

Under GDPR, obtaining valid consent is crucial for fair and transparent data processing. Organizations must obtain explicit and informed consent from individuals before processing their personal data, and individuals have the right to withdraw their consent at any time. Additionally, GDPR grants individuals the right to access their personal data, enabling them to exercise control over their information and ensure transparency in how it is being processed.

Furthermore, GDPR requires organizations to promptly disclose any personal data breaches to the relevant supervisory authority and, in some cases, to the affected individuals. This promotes transparency and accountability in data processing and helps protect individuals' rights and privacy.

Clarifying legal basis for processing personal data

The General Data Protection Regulation (GDPR) aims to clarify the legal basis for processing personal data, ensuring that organizations have a legitimate reason to collect, use, and share individuals' information. The GDPR provides a clear framework for determining the lawful basis for processing personal data, promoting transparency and accountability in data processing.

There are several legal bases outlined in the GDPR that organizations can rely on to process personal data. These include the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, performance of a task carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by the data controller or a third party. It is essential for organizations to carefully consider these legal bases and choose the one that aligns with the principles of lawfulness, fairness, and transparency.

However, the GDPR also includes certain exemptions concerning the processing of personal data. For example, processing personal data for purely personal or household purposes, such as sharing family photos with close friends, is exempt from the regulation. Additionally, certain activities related to academic, scientific, historical, or statistical purposes may be exempt, provided appropriate safeguards are in place.

Personal data is defined broadly under the GDPR and includes any information that can identify an individual directly or indirectly. This includes obvious examples such as names, addresses, and phone numbers, as well as less obvious information like IP addresses, email addresses, and photographs. It is worth noting that the GDPR recognizes the importance of protecting individuals' privacy rights, even when their identity is not directly revealed.

Establishing clear responsibilities for controllers and processors

The GDPR establishes clear responsibilities for both data controllers and processors in order to ensure the protection and privacy of personal data. Controllers are the entities that determine the purposes and means of data processing, while processors are those who process personal data on behalf of the controller.

Under the GDPR, controllers have specific obligations. They must be transparent about their data collection practices and provide individuals with clear information about their rights and how their data will be processed. Controllers must also have a lawful basis for processing personal data, and this basis must be declared to the individuals whose data is being processed.

Controllers are responsible for implementing appropriate technical and organizational measures to protect personal data. This includes measures to ensure the confidentiality, integrity, and availability of the data. Controllers must also conduct data protection impact assessments when processing activities are likely to result in a high risk to individuals' rights and freedoms.

Additionally, public authorities and businesses engaged in systematic processing of personal data are required to appoint a data protection officer (DPO). The DPO's role is to advise the organization on data protection matters, monitor compliance with the GDPR, and act as a point of contact for individuals and supervisory authorities.

Lastly, both controllers and processors have specific obligations when it comes to reporting data breaches. They must notify the relevant supervisory authority of any personal data breaches without undue delay. In some cases, they may also be required to inform the affected individuals.

Providing safeguards for special categories of personal data

Under the GDPR, special categories of personal data are defined as sensitive information that requires additional protections and requirements during processing. These categories include data that reveal a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation.

To ensure the protection of special categories of personal data, the GDPR introduces specific safeguards. Organizations must have a lawful basis for processing such data, and one of the following conditions must be met: explicit consent from the individual, processing necessary for the purposes of carrying out obligations under employment or social security law, processing necessary to protect vital interests, processing carried out by a not-for-profit organization and relating to its members or former members, processing carried out for legitimate activities of certain types of associations or foundations, processing for historical research purposes, or processing necessary for reasons of substantial public interest.

Additionally, organizations processing special categories of personal data must implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of the data. These measures should include limiting access to the data, pseudonymization or encryption where possible, and regular testing and evaluation of the security measures.

Furthermore, the principles of data minimization and purpose limitation apply, meaning that organizations should only collect and process special categories of personal data for specific, clearly defined purposes and with the minimum amount of data necessary to achieve those purposes. Organizations must also provide individuals with transparent information regarding the processing of their special categories of personal data, including the legal basis for processing, the purposes of processing, and their rights.

By implementing these safeguards and adhering to the requirements set by the GDPR, organizations can ensure the protection and lawful processing of special categories of personal data, promoting privacy and data security for individuals.

Aim 2: harmonisation of privacy laws across member states

The second main aim of GDPR is to ensure the harmonisation of privacy laws across member states within the European Union. Prior to the implementation of GDPR, each member state had its own set of privacy laws, causing inconsistency and confusion for businesses and individuals operating across borders. GDPR seeks to establish a unified framework for privacy regulations, providing organizations with a consistent set of rules to follow and individuals with a standardized level of protection for their personal data. This harmonization allows for a more streamlined and efficient approach to data protection, promoting trust and confidence in cross-border data transfers and ensuring that individuals' privacy rights are consistently upheld regardless of where they are located within the EU. By harmonizing privacy laws, GDPR aims to create a level playing field for organizations and enhance the protection of personal data across member states.

Standardising key principles, rights and obligations under GDPR

The General Data Protection Regulation (GDPR) aims to standardize key principles, rights, and obligations related to the protection of personal data within the European Union (EU). By harmonizing data protection laws across EU member states, GDPR ensures consistency in the way personal data is handled and gives individuals more control over their data.

The GDPR establishes seven key principles that serve as the foundation for these standards. These principles require personal data to be processed lawfully, fairly, and transparently. Organizations must collect data for specific, legitimate purposes, and ensure it is accurate and up-to-date. They must also limit the storage of personal data to only what is necessary and ensure it is kept securely.

One of the significant aspects of GDPR is the protection of data subject rights. Data subjects are the individuals whose personal data is being processed. GDPR grants data subjects several rights, including the right to access their data, rectify inaccuracies, and erase their data under certain circumstances. It also gives them the right to object to their data being processed and the right to data portability.

By standardizing these key principles, rights, and obligations, GDPR enhances data subject protection and ensures a higher level of privacy and security for individuals within the EU. It places greater responsibility on organizations to handle personal data in a transparent and accountable manner, with the potential for significant fines for non-compliance. Overall, GDPR aims to create a more consistent and privacy-friendly data protection framework across the EU.

Strengthening supervisory authorities’ powers across member states

One of the main aims of GDPR is to strengthen supervisory authorities' powers across member states. The regulation recognizes the importance of effective enforcement in ensuring compliance with the data protection principles. To achieve this, GDPR increases the authority and capabilities of supervisory authorities to enforce the regulations.

Firstly, GDPR grants supervisory authorities the power to conduct investigations and audits to assess compliance with the regulations. They have the authority to request information from organizations and access their premises during these investigations. This enables them to identify potential violations and take appropriate action.

Secondly, supervisory authorities have the power to issue warnings, reprimands, and orders to organizations that are not in compliance with GDPR. They can require an organization to rectify any issues or bring their data processing activities in line with the regulation. This ensures that organizations are held accountable for their actions and incentivizes them to prioritize data protection.

Furthermore, supervisory authorities have the power to impose penalties and fines on organizations that breach GDPR. The determination of these penalties takes into account various factors, such as the number of people affected by the infringement, the duration of the infringement, and the measures taken by the organization to mitigate damage. Additionally, the severity of fines may be influenced by the company's history of infringements and the extent of preventative measures taken.

By strengthening supervisory authorities' powers across member states, GDPR aims to create a robust enforcement framework that promotes compliance and protects the rights and privacy of individuals. This ensures that organizations are accountable for their data processing activities and face consequences for any violations of the regulation.

Creating a ‘one-stop shop’ model for determining competent supervisory authority

Creating a 'one-stop shop' model for determining the competent supervisory authority is one of the key aims of GDPR. This model simplifies the process for both companies and individuals when dealing with cross-border data processing activities.

Under the 'one-stop shop' model, an organization only needs to deal with the supervisory authority in its main establishment or in the member state where its main activities take place. This means that instead of having to comply with multiple supervisory authorities in different member states, businesses can now have a single point of contact for all their data protection matters.

The 'one-stop shop' model works by designating a lead supervisory authority for each organization. This lead authority is responsible for coordinating and overseeing any cross-border data processing activities carried out by that organization. It acts as the main point of contact for both the organization and individuals who have concerns or complaints related to their data processing.

The aim of this model is to streamline the data protection process by reducing administrative burden and duplication of efforts. It provides a clear and efficient mechanism for resolving disputes and ensures consistent interpretation and application of the GDPR across the European Union.

Establishing consistency in breach notifications across member states

Establishing consistency in breach notifications across member states is one of the main aims of the General Data Protection Regulation (GDPR). To ensure organizations comply with this requirement, they should take several steps:

  1. Promptly notify the supervisory authority: In the event of a data breach, organizations must notify the relevant supervisory authority within 72 hours. This notification should include details such as the nature of the breach, the number of data subjects affected, and any possible consequences and mitigation measures.
  2. Document the breach and remedies: It is crucial for organizations to thoroughly document all aspects of the breach, including the date and time of discovery, the type of data involved, and the actions taken to address the breach. This documentation will help in evaluating the severity of the incident and determining the appropriate response.
  3. Deliver direct notifications to affected individuals: Organizations must also directly notify the data subjects affected by the breach if there is a high risk to their rights and freedoms. This notification should be in clear and plain language, explaining the nature of the breach and any potential impact on their personal data.

By following these steps, organizations can ensure consistency in breach notifications across member states. This process helps in maintaining transparency, accountability, and trust in dealing with data breaches, ultimately protecting the rights and privacy of individuals as outlined in the GDPR.

General thought leadership and news

The NIST Cybersecurity Framework: Best practices

The NIST Cybersecurity Framework: Best practices

When it comes to security compliance, the NIST Cybersecurity Framework (NIST CSF) has built a reputation for effectively guiding organizations toward...

6clicks receives ISO 42001 certification for its AI Management System

6clicks receives ISO 42001 certification for its AI Management System

Melbourne, Australia – 18 November 2024. 6clicks, pioneer of the first AI-powered GRC (Governance, Risk, and Compliance) software, is proud to...

Hailey’s newest updates: Risk & issue generation + compliance mapping

Hailey’s newest updates: Risk & issue generation + compliance mapping

At 6clicks, we’re continually evolving our AI capabilities to make the process of risk management and compliance faster, smarter, and more intuitive....

Understanding the NIST RMF: Breaking down the 7 key steps

Understanding the NIST RMF: Breaking down the 7 key steps

The NIST Risk Management Framework (NIST RMF) is a flexible framework that can be tailored to your specific organizational profile and regulatory...

Past, present, and future themes in cybersecurity: Are you keeping up?

Past, present, and future themes in cybersecurity: Are you keeping up?

In the ever-evolving landscape of cybersecurity, understanding where we've been, where we are, and where we're going is essential. By examining the...

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer and more

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...