Skip to content

What is GDPR in simple terms?


What is GDPR?

The General Data Protection Regulation (GDPR) is a set of strict rules and regulations designed to protect the privacy and personal data of individuals within the European Union (EU). It was implemented on May 25, 2018, and applies to all businesses and organizations, regardless of their location, that process the personal data of EU citizens. The GDPR aims to give individuals control over their personal information and ensure that their data is handled securely and responsibly. Failure to comply with the GDPR can result in hefty fines and other legal consequences, making it essential for businesses to understand and adhere to its requirements.

Why was the GDPR created?

The General Data Protection Regulation (GDPR) was created to address the need for updated personal data laws in the digital age and to increase accountability for organizations in handling personal data. The aim of the GDPR is to empower individuals and ensure the security of their personal data.

In recent years, there has been a significant increase in the amount of personal data collected and processed by organizations. This data is often used for targeted advertising, market research, and other purposes without the explicit consent or knowledge of individuals. Moreover, the Cambridge Analytica data scandal highlighted the potential misuse and unauthorized access to personal data, leading to public outcry and the realization of the urgent need for stricter rules and protection measures.

The GDPR was designed to give individuals more control over their personal data and to strengthen their privacy rights. It introduces stringent requirements for organizations, such as obtaining valid and explicit consent before processing personal data, implementing technical and organizational measures to ensure data security, and promptly notifying authorities and affected individuals in the event of a data breach.

By modernizing outdated laws and introducing strict rules and hefty fines for non-compliance, the GDPR aims to protect individuals' personal data in an era of advanced technology and greatly enhance transparency and accountability in data processing practices.

The general data protection regulation basics

The General Data Protection Regulation (GDPR) is a comprehensive set of data protection laws that were implemented in the European Union (EU) in 2018. The aim of GDPR is to give individuals more control over their personal data and to harmonize data protection regulations across EU member states. It applies to any organization that collects, processes, or stores personal data of EU citizens, regardless of whether the organization is located within the EU or not. The regulation introduces strict rules and protection measures that organizations must adhere to, including obtaining valid consent for data processing, implementing technical and organizational security measures, and promptly notifying authorities and individuals in the event of a data breach. Non-compliance with GDPR can result in substantial fines and penalties for organizations, highlighting the significance of these regulations in safeguarding individuals' privacy rights.

Privacy policies and plain language

In order to comply with the General Data Protection Regulation (GDPR), privacy policies need to be written in plain language. This means that they should be easy for users to understand, avoiding complex jargon and technical terms.

According to Chapter 3, Article 13 of the GDPR, privacy policies must include certain important details. These include the identity and contact details of the Data Controller, the purposes and legal basis for processing personal data, the legitimate interests pursued by the Data Controller, and any recipients or categories of recipients that the personal data may be disclosed to.

Additionally, the privacy policy should provide information about the retention period for personal data, the rights of the data subjects, such as the right to access and rectify their data, and the right to lodge a complaint with a supervisory authority.

By using plain language and including the required details, privacy policies can provide transparency and clarity to users regarding the processing of their personal data. This helps to build trust and ensure that individuals are aware of their rights and how their data is being handled.

Supervisory authority

The supervisory authority plays a crucial role in ensuring compliance with the General Data Protection Regulation (GDPR). Acting as an independent public authority, its primary responsibility is to enforce the GDPR within its jurisdiction and provide guidance to both individuals and organizations on how to adhere to data protection laws.

As an enforcement body, the supervisory authority has the power to conduct investigations into potential violations of the GDPR. This includes reviewing data processing activities and ensuring that organizations have implemented proper security and privacy measures. In cases where non-compliance is identified, the authority has the ability to take appropriate actions, such as issuing fines or penalties.

Aside from enforcement, the supervisory authority also serves as a reliable source of guidance for individuals and organizations seeking clarity on data protection matters. They offer insights and interpretations of the GDPR, helping entities understand their obligations and responsibilities while processing personal data.

Furthermore, the supervisory authority acts as a resolver of complaints. If individuals believe their data protection rights have been infringed, they can turn to the authority for assistance. The authority will assess the complaint, investigate the situation, and take necessary actions to resolve the issue, ensuring that data subjects' rights are protected.

Data protection officer

A Data Protection Officer (DPO) plays a crucial role in ensuring compliance with the General Data Protection Regulation (GDPR). This is particularly important for organizations that handle large amounts of personal data on a regular basis. The GDPR mandates the appointment of a DPO under certain conditions.

The responsibilities of a DPO include understanding and advising on GDPR compliance within the organization. They are tasked with monitoring and overseeing the implementation of data protection policies and procedures to ensure that personal data is being processed in line with the law. This involves conducting regular audits and assessments to identify any gaps or risks in data protection practices.

In addition, a DPO is responsible for providing guidance and training to employees on the legal obligations and requirements of the GDPR. This helps to create a culture of data protection awareness within the organization and ensures that individuals understand how to handle personal data correctly.

Furthermore, a DPO acts as a liaison with supervisory authorities, such as the enforcement body for data protection laws. They facilitate communication and cooperation between the organization and regulatory bodies, assisting with any inquiries, investigations, or complaints related to data protection.

By appointing a DPO, organizations demonstrate their commitment to protecting personal data and complying with the GDPR. The role of a DPO is essential in maintaining a high level of data protection and ensuring that individuals' privacy rights are respected.

Special categories of personal data

Special categories of personal data are a key aspect of the General Data Protection Regulation (GDPR). These categories include sensitive information that reveals a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, and data concerning a person's sex life or sexual orientation.

Under the GDPR, processing such special category data requires a higher level of protection and can only be done under certain conditions. One condition is obtaining explicit consent from the individual, which means they must provide a clear and specific agreement for their data to be processed. Another condition is when processing is necessary for legal claims or judicial acts, such as in court proceedings. Additionally, processing can be permitted if there are reasons of substantial public interest, such as monitoring public health or conducting historical research.

These strict rules around special category data aim to protect individuals' most sensitive information. By placing additional safeguards and conditions on its processing, the GDPR ensures that this data is handled with utmost care and respect.

Natural person

A natural person, in the context of the General Data Protection Regulation (GDPR), refers to an individual as opposed to a legal entity or corporation. The GDPR recognizes the significance of natural persons and places great importance on protecting their rights and personal data.

Under the GDPR, a natural person is defined as any person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifiers, or other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Recognizing the rights and protections of natural persons is a fundamental aspect of the GDPR. Natural persons are referred to as 'data subjects' under the regulation, and they have a range of rights in relation to their personal data. These rights include the right to access their data, the right to rectify inaccurate data, the right to erasure, the right to restrict processing, the right to data portability, and the right to object to processing.

By acknowledging and safeguarding the rights of natural persons, the GDPR aims to ensure that individuals have control over their personal data and are protected from misuse or unauthorized access by organizations or entities. It highlights the importance of respecting privacy and the individual's right to determine how their personal information is used and handled.

Public authorities

Public authorities play a crucial role in ensuring the protection of personal data under the General Data Protection Regulation (GDPR). As data controllers, public authorities are responsible for determining the purposes and means of processing personal data. They have specific duties and responsibilities to comply with the GDPR's principles and requirements.

First and foremost, public authorities must ensure the lawfulness, fairness, and transparency of their data processing activities. This means that they must have a valid legal basis for processing personal data and must process it in a fair and transparent manner. They should clearly inform individuals about the purposes of the processing, the categories of data being processed, and the retention period of the data.

Public authorities are required to provide individuals with certain information regarding the processing of their personal data. This includes the identity and contact details of the data controller, which is typically the public authority itself. They must also inform individuals about the legal basis for processing their data, including any necessary consent or other legitimate grounds. Additionally, public authorities must inform individuals about their rights, including the right to access their data, the right to rectification, the right to erasure, and other rights as per the GDPR.

Lawful basis for processing personal data

Under the General Data Protection Regulation (GDPR), businesses need to have a lawful basis for processing personal data. There are several different lawful bases outlined by the regulation that an organization can rely on. These include the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, performance of a task carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by the data controller or a third party.

To ensure GDPR compliance, businesses must be able to demonstrate that they have a valid legal basis for each category of information they process. This means that they need to clearly identify and document the specific condition under which they are processing personal data. For example, if a business is relying on consent as the lawful basis, they must be able to provide proof that individuals have given their explicit and informed consent to the processing of their personal data.

By understanding the lawful bases for processing and being able to demonstrate the legal basis for each category of information, businesses can ensure that they are compliant with the GDPR's requirements. This not only helps protect individuals' privacy rights but also safeguards businesses against potential fines and penalties for unlawful data processing.

Legal obligations regarding privacy rights

Under GDPR, organizations have legal obligations to protect privacy rights and ensure GDPR compliance. These obligations include implementing necessary protection measures and providing transparency in data processing activities.

The main legal obligation is that organizations must act as data controllers and establish a lawful basis for processing personal data. This means organizations must have a clear purpose and valid justification for collecting and using individuals' personal information. They must also implement technical and organizational measures to protect personal data from unauthorized access, loss, or alteration.

Furthermore, organizations must provide individuals with clear and concise privacy notices that outline the processing activities, the purpose of data collection, and their privacy rights. This includes informing individuals about their right to access, rectify, or erase their personal data. Organizations must respond promptly to individuals exercising these rights.

The significance of these legal obligations is that they provide individuals with greater control over their personal data and enhance transparency in data processing activities. By complying with these obligations, organizations not only demonstrate their commitment to privacy rights but also mitigate the risk of non-compliance and potential hefty fines.

Protection measures for processing activity

Under the GDPR, organizations are required to implement certain protection measures for processing activity to ensure the appropriate security, integrity, and confidentiality of personal data. These measures aim to protect individuals' information from unauthorized access, loss, alteration, or disclosure.

One of the key protection measures is the use of encryption and other technical safeguards to prevent unauthorized access to personal data. Encryption involves converting the data into a form that can only be accessed with a decryption key, making it extremely difficult for unauthorized parties to decipher the information. This helps protect sensitive data from being intercepted or accessed by unauthorized individuals.

Additionally, organizations need to establish access controls and authentication mechanisms to ensure that only authorized personnel can access personal data. This helps prevent data breaches and unauthorized use of individuals' information.

Regular monitoring and logging of processing activities are also crucial protection measures. This allows organizations to detect and respond promptly to any suspicious or unauthorized activity, minimizing the impact of a potential security breach.

The importance of these protection measures cannot be overstated. Ensuring appropriate security, integrity, and confidentiality of personal data not only helps in safeguarding individuals' privacy rights but also builds trust with customers. It demonstrates an organization's commitment to protecting their data and mitigates the risk of data breaches or non-compliance with the GDPR.

By implementing these protection measures, organizations not only fulfill their legal obligations but also create an environment where personal data is handled with utmost care, minimizing the potential harm that can arise from unauthorized access or disclosure.

Legal basis for automated decision-making

Under the General Data Protection Regulation (GDPR), organizations must have a legal basis for carrying out automated decision-making processes that involve personal data. Automated decision-making refers to the use of technology or algorithms to make decisions or evaluate individuals without human intervention.

To lawfully process personal data using automated decision-making, organizations must meet certain conditions. Firstly, they need to have a legal basis for processing the data, such as obtaining the individual's explicit consent or having a legitimate interest in conducting the automated decision-making. The decision-making process must also be necessary for entering into or fulfilling a contract with the individual, or it must be authorized by law.

Obtaining valid consent for automated decision-making is crucial. Organizations must ensure that the individual has provided their explicit consent, which is freely given, specific, informed, and unambiguous. They must also provide clear and easily understandable information about the automated decision-making process and its consequences.

Non-compliance with GDPR regulations regarding automated decision-making can have significant implications and consequences. Organizations may face hefty fines and reputational damage for failing to meet the legal requirements. Moreover, individuals have the right to access information about the logic behind automated decisions, contest decisions made solely based on automated processes, and seek remedies if they suffer harm from such decisions.

GDPR rights for individuals, companies, and public authorities

GDPR, or the General Data Protection Regulation, is a comprehensive data protection law that came into effect in the European Union (EU) in May 2018. It is designed to protect the privacy and personal data rights of individuals, while also imposing strict rules and obligations on companies and public authorities who handle personal data. GDPR grants individuals a range of rights, including the right to access their personal data, the right to have their data erased or corrected, the right to restrict or object to certain types of processing, and the right to data portability. These rights give individuals greater control and transparency over their personal data, ensuring that their privacy is respected and protected. At the same time, GDPR places responsibility on companies and public authorities to comply with these rights and implement appropriate security measures to safeguard personal data from unauthorized access or breaches. Failure to comply with GDPR can result in significant financial penalties, making it crucial for organizations to understand and adhere to these regulations.

Subject rights under GDPR

Subject rights under GDPR refer to the rights granted to individuals (data subjects) within the European Union/European Economic Area (EU/EEA) regarding their personal information. GDPR stands for General Data Protection Regulation, a privacy law established to protect the personal data of individuals.

Under GDPR, data subjects have several important rights. Firstly, they have the right to access their personal data held by organizations. This means they can request information about what personal data is being processed and how it is being used.

Data subjects also have the right to request the amendment or correction of any inaccurate or incomplete personal information. They can ask organizations to rectify any errors or update outdated information.

Furthermore, individuals have the right to object to the processing of their personal data. This means they can request that their data no longer be processed for specific purposes. They also have the right to request the deletion of their personal information in certain circumstances, such as when it's no longer necessary or when they withdraw their consent.

Businesses must process personal data in a lawful and transparent manner, only for specific legal purposes. They are also required to implement privacy by design and by default measures to ensure the protection of personal data.

General thought leadership and news

6clicks receives ISO 42001 certification for its AI Management System

6clicks receives ISO 42001 certification for its AI Management System

Melbourne, Australia – 18 November 2024. 6clicks, pioneer of the first AI-powered GRC (Governance, Risk, and Compliance) software, is proud to...

Hailey’s newest updates: Risk & issue generation + compliance mapping

Hailey’s newest updates: Risk & issue generation + compliance mapping

At 6clicks, we’re continually evolving our AI capabilities to make the process of risk management and compliance faster, smarter, and more intuitive....

Understanding the NIST RMF: Breaking down the 7 key steps

Understanding the NIST RMF: Breaking down the 7 key steps

The NIST Risk Management Framework (NIST RMF) is a flexible framework that can be tailored to your specific organizational profile and regulatory...

Past, present, and future themes in cybersecurity: Are you keeping up?

Past, present, and future themes in cybersecurity: Are you keeping up?

In the ever-evolving landscape of cybersecurity, understanding where we've been, where we are, and where we're going is essential. By examining the...

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer and more

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...

ServiceNow GRC pricing: Is it worth it in 2025?

ServiceNow GRC pricing: Is it worth it in 2025?

Concerned about ServiceNow GRC’s pricing plans and total cost of ownership? You’re not alone. With a custom pricing structure, determining the...