GDPR Explained: How Businesses Protect Personal Data in the EU

By BrainStation December 18, 2019

When the European Union’s General Data Protection Regulation (GDPR) came into full force in May 2018, it was hot on the heels of the Facebook-Cambridge Analytica data scandal. The data breach heard around the world made consumers suddenly very aware of how their personal data could be collected and manipulated without their consent. It’s a pressing conversation that continues to evolve alongside rapid advances in technology to this day. 

As the internet became increasingly data-driven over the years, the European Union (EU) recognized that the privacy standards they’d had in place since 1995, the European Data Protection Directive, needed updating. In April 2016, the European Parliament adopted the GDPR and asked that all businesses be compliant by 2018. The GDPR embodies the EU’s firm stance on data protection and privacy and applies uniformly to all EU member states (unlike the former directive). 

Does GDPR Apply to You? 

Firstly, it’s important to note that the GDPR has implications outside of the EU. If you’re wondering if this applies to you, ask yourself these 2 simple questions: 

  1. Do you offer goods or services in the EU?
  2. Are you collecting or processing the personal data of EU citizens or residents for commercial purposes?

If you answered yes to either or both of these questions, then you need to comply with GDPR. This actually means that the majority of companies with global reach need to have a data strategy in place to avoid penalties of up to tens of millions of euros. 

If you decide how and why personal data is being used, you’re likely what the GDPR calls the “Data Controller.” This can be a business owner or simply a member of the data team. 

Alternatively, if you’re someone who processes data on behalf of a third party, you’re called a “Data Processor.” The GDPR has special regulations for processors.  

What’s Considered Personal Data? 

For a law that’s all about protecting personal data, it’s crucial to understand what kinds of data are included in the equation. 

According to the European Commission, personal data is any piece of information that can identify a living individual. This includes, but isn’t limited to, information such as names and surnames, personal email addresses, home addresses, biometric data and location data. 

Information that’s completely anonymous (and can’t be reversed in any way) is not considered personal data. This includes email addresses that are generic ( or a company registration number. 

The GDPR is technology agnostic, which means personal data must be protected regardless of how it’s being collected, organized, structured, used or deleted. 

7 Principles for Data Protection

There isn’t a one-size-fits-all approach to data protection and many parts of the law leave room for interpretation. The GDPR does lay out some guiding principles for processing personal data.

  1. Process the data you collect lawfully, fairly, and transparently. 
  2. Collect data for a specific and explicit purpose and only process that data as it relates to that purpose. The only exception is if the data is being used for research, statistical, or scientific purposes for the good of the public. 
  3. Minimize the amount of personal data you collect. Don’t collect more than is needed for the intended purpose. 
  4. Keep the data you collect up-to-date. If you’re unable to do this, then you must make a reasonable effort to update or delete it quickly. 
  5. Personal data can be kept in a form that allows you to identify individuals only for as long as it takes to fulfill your intended purpose. Again, there are exceptions for research, statistical, or scientific purposes. 
  6. Have measures in place to process data in a way that safeguards it from unauthorized processing or altering, loss, or damage.
  7. The data controller is ultimately held accountable and must be able to prove compliance. 

When is it Okay to Process Personal Data? 

Certain conditions must be met for your data processing to be considered “lawful”. Like other regulations of its kind, consent plays a leading role. 

There are a few situations where you’d be able to process personal data without consent, including:

  • to fulfill a contract such as a background check for employment,
  • a court order, and 
  • to save a life. 

This list is not extensive, but you can read the full list in Chapter 2, Article 6 of the GDPR. 

Getting Consent to Process Data

One of the first things you need to know about getting consent is that you need to prove that it happened. Consent can be given electronically, orally, or in writing as long as it’s an affirmative action (like ticking a box to opt-in). 

If you’re getting consent for more than one action, you need to make each action clear to the individual using clear and plain language. You need to make it as easy and nondisruptive as possible for an individual to revoke consent. 

Because consent needs to be freely given, you can’t make the execution of a contract (for example, a sale) dependant on providing consent when that personal data isn’t actually needed to fulfill that contract. 

How the GDPR Can Impact Your Data Processes

The individual, or what the GDPR calls the “data subject,” has certain rights regarding their personal data. Understanding each of them will help ensure that you have reasonable processes in place to respect them.

Rights include: 

    1. The right to access data. If requested, you must be able to tell the data subject what personal data is being collected, the purpose of collecting it, who will be processing it, and how long you intend to store it. The data subject can also request a copy of their data free of charge which you must be able to provide in common electronic form. 
    2. The right to correct and updated data. You need to be able to quickly update inaccurate or incomplete data if requested by the data subject. 
    3. The right to have data erased. The GDPR calls this “the right to be forgotten”. The data subject can ask that you erase their data, although there are some limitations to this, including a court order. 
    4. The right to restrict processing. If the data subject thinks your data is inaccurate, being processed unlawfully, or is no longer required for your intended purpose they can restrict you from processing it. 
    5. The right to share their data. The data subject can request their data, which you need to provide in a machine-readable format, so they can transmit that data to another controller. 
    6. The right to object. Unless you can come up with a legitimate reason why you need to process someone’s personal data, the data subject has the right to object to you processing it. This is especially applicable when it comes to data being used for marketing purposes. 
    7. The right not to be subject to an automated decision. The data subject can refuse to have a significant decision, like a job or credit application, made about their profile automatically without any human intervention.





When data or information about data is requested, you need to have internal processes in place that enable you to action them within one month of receipt. It needs to be provided in a concise and easy to understand way and can be done in writing, electronically, or orally (if identity can be verified). 

In the unfortunate event that you experience a data breach, you’re obligated to inform data subjects within 72 hours.  

What You Can do to Comply 

When it comes to the GDPR, you must be able to demonstrate compliance before you’re asked. suggests the following to get started:

  • Assign responsibility to someone on your team  
  • Document all the details of your data processing practice including why data is processed and how
  • Ensure all your staff are properly trained
  • Have responsible and compliant contracts with third-party data processors keeping in mind that you’re ultimately accountable 
  • Consider appointing a Data Protection Officer (in some cases, you might actually be obligated to have one) 

Ignoring the GDPR comes at a hefty cost. Fines can be up to €20 million or 4% of your global revenue if higher, not to mention the loss of trust and credibility that comes with a data breach.

With the stakes this high, it’s worth sweating the small stuff. Read the entire document on