What is GDPR? Understanding the EU regulation

Introduction image

In an increasingly digital world, ensuring legitimacy of personal data processing and mitigating the risks of cyber threats and data breaches – both internal and from third parties – is still a challenge for many organizations.

For the protection of their personal data individuals in the European Union can rely on GDPR, the European Union (EU) General Data Protection Regulation.

What exactly is GDPR?

Applicable since May 25, 2018, GDPR outlines the rights EU citizens have in relation to their personal data and the steps organizations must take to store and process these  data legitimately and securely.

Therefore, it is very important that, if a company is submitted to GDPR,  it invests in tools that help it store personal data securely and comply with GDPR regulations.

What does the General Data Protection Regulation consider as personal data?

GDPR considers personal data to be any “information relating to an identified or identifiable natural person (‘data subject’) (art. 4.1 (a) GDPR).

Examples of personal data include location data, IP addresses, home addresses, cookie IDs, photos, personal email addresses and unique mobile device IDs, political opinions, data concerning health, sexual orientation.

Anonymized data and generic, catchall email addresses like are examples of data that is not covered by the GDPR.

What is the purpose of GDPR?

The General Data Protection Regulation (GDPR) has several goals. Among the main ones, we can mention:

  • Standardization of a data protection law: The GDPR establishes a standard data protection law for organizations established in any of the EU member states and for companies that offer goods or services to EU residents – the data subjects – regardless of where they are established;
  • Ensure data subjects have greater control over the processing of personaldata: The GDPR gives data subjects greater control over what information organizations can process about them. This includes notably the right to be informed, to object to data processing or to erase personal data;
  • Require companies to implement technical & organizational measures (“TOMs”): The General Data Protection Regulation requires companies to implement an acceptable level of data security in order to keep their customers’ and employees’ personal data safe from loss or unauthorized exposure;
  • Obliges companies to report violations of personal data: The GDPR obliges companies to notify the competent supervisory authority and the data subject in the event of violation of personal data that is likely to result in a high risk to the rights and freedoms of the data subject;
  • Appoint a Data Protection Officer: The GDPR requires some organizations to appoint a Data Protection Officer (DPO): essentially all public authorities or bodies and companies whose core activities consist in systematic monitoring of individuals on a large scale or in processing special categories of data such as health data, political opinions, data about religious or philosophical beliefs,  genetic data and biometric data;
  • Penalize companies that don’t follow the rules: Data protection regulations apply harsh penalties to organizations that don’t comply with the GDPR (fines; ban on processing; …).

GDPR core fundamentals

Among the general principles of GDPR, the processing of  personal data in a lawful, fair and transparent manner stands out.

Furthermore, personal data processed must be limited to the minimum and used only for a specified, explicit and legitimate purposes for no longer than necessary.

There must be a privacy notice explaining who processes what personal data on which legal basis and for what purpose, describing the recipients of the personal data, the period for which the data is stored by or on behalf of the organization as well as other mandatory information listed in art. 12-14 GDPR. .

The GDPR also has strengthened the rules governing email marketing. In short,  pursuant to the e-privacy legislation, a company cannot send any direct marketing email to an individual without its prior consent. Under GDPR such consent must be “freely given, specific, informed and unambiguous”.  However, you are allowed to send marketing emails to past customers of your company, and you can use generic email addresses (ex. to send marketing messages to organizations

Last but not least, companies must go to great lengths to ensure that their customers’ and staff members’ personal data is accurate, up-to-date and secure. Here, it is worth remembering that non-compliance with the Regulation  can result in heavy fines. We’ll talk more about non-compliance with GDPR throughout this article.

Main benefits of the General Data Protection Regulation (GDPR)

Increased trust and credibility in business

One of the great advantages of GDPR is to increase business trust and credibility.

While virtually all provisions of the General Data Protection Regulation are to protect and empower individuals, there are also several advantages for businesses.

As GDPR requires companies to be responsible, to minimize the use of customers’ personal data and to ensure that their processing is legitimate and secure, customers  will feel that their data are in good hands and their trust will grow.

In addition, as the company’s reputation improves, it can also attract more job applications and retain employees longer.

Improves storage and analysis of collected data

Storing a large amount of personal data without a good understanding of how to use it is not only useless but also an unnecessary cost for companies.

Organizations that comply with the strict requirements of the GDPR need to minimize stored data, to define specific processing purposes before the data is collected, thus avoiding unnecessary manipulation of such information.

Balances the competition

Without regulations such as GDPR, companies that respected the privacy of their customers’ data were generally at a disadvantage compared to others that did not give due importance to the confidentiality of this information.

Implementing data privacy policies from a company’s initial design is expensive, and there is profit to be made by selling illegal databases from different consumer groups.

With GDPR in place, the playing field has been leveled. All companies must implement data privacy across their organizations. Companies that value privacy are no longer at a disadvantage.

Provides more accurate data

When a company is required to remove outdated and unnecessary personal data, the information that remains is much more accurate.

GDPR forces every department in a corporation to better organize their data, resulting in more accurate, organized, and even more secure data.

In addition, the accuracy of this information can generate beneficial insights for decision making.

How can different company areas comply with GDPR?

Information Technology (IT)

There is no doubt that the IT department of companies is one of the most affected by GDPR.

To comply with the General Personal Data Regulation, the company must establish an inventory of processing activities that will show the types of data the company uses about which data subject, for which purpose, on which legal bases and which employees/processors or third-parties have access to it.

It is also worth remembering that the collection and use of  personal data must be legally justifiable and the IT department must take steps to ensure that the data is secured in a way that is appropriate to the risk of the data processing for the concerned individual (ex. the processing of an individual’s credit card details is more risky for that individual than the processing of its email address and must thus be secured more. Accordingly, all personal data stored must be encrypted whenever necessary and possible.

Company-wide protection of personal data must be considered and an internal security policy implemented. A process must be in place for reporting data breaches to supervisory authority and data subjects where required.

In addition, systems must be in place to allow data subjects to request and receive the personal data you store on them. Users must be able to quickly and easily update inaccurate data held about them, and companies processing personal data on behalf of others must at the end of their services be able to transfer or delete the data processed upon request.

Human Resources (HR)

HR teams will also need to understand the limits GDPR places on data collected from data subjects who are employees of the company because their personal data can only be processed when it is necessary to execute the labor contract, to comply with a legal obligation or other appropriate legal grounds. In the absence of choice, consent cannot be a valid legal ground.

Data can only be stored and used for a specific purpose and cannot be saved indefinitely without valid reasons. It must be stored in an encrypted format whenever possible, and any data breach, resulting in a risk for the individual’s rights and freedoms, must be notified to the competent supervisory authority within 72 hours. Whenever one must fear a high risk for the rights and freedoms of the affected persons, such individuals must be informed as well without undue delay.


Marketing departments should be aware of three main areas of GDPR. These are: data permission, data access and data focus.

Data permission rules state that promotional material can only be sent to people who have expressly consented to receive it. Marketing cannot automatically include someone in a newsletter when they sign up for a website. The visitor must explicitly opt-in by ticking a checkbox, for example.

The GDPR includes provisions on the right to erasure. That means giving people a way to remove their details from the company’s systems or unsubscribe from marketing.

And while marketing departments like to collect data about users, to be GDPR compliant they must be able to show that they have good reason to store the personal data they collect.

What are the risks of failing to comply with GDPR?

The costs of failure to comply with GDPR vary depending on the type and size of a company and the exact nature of the GDPR violation.

Fines of up to €10 million or 2% of a company’s annual global turnover are imposed for crimes such as not reporting a data breach, not appointing a Data Protection Officer (DPO) when necessary, or not building a privacy by design process.

Failure to comply with the law can result in fines of up to €20 million or 4% of a company’s annual global turnover, whichever is greater.

These more serious fines can stem from failures to protect the rights of data subjects, from unauthorized transfers of personal data internationally, or from ignoring citizens’ requests for their data.

TPO Map is the ideal solution to make your business GDPR compliant

TPO Map is the number one collaborative GDPR compliance platform.

Through an intelligent combination of automation, legal content and human support, TPO Map helps companies manage and implement compliance measures associated with the EU GDPR.

With configurations adapted to the needs of each client, TPO Map is a complete solution that helps organizations to identify and implement all the necessary GDPR compliance measures in a simplified and digital way.

The TPO Map platform offers a series of advantages that make it the most cost-effective solution for your company:

  • Digital, intuitive and transparent interface;
  • Methodology for Privacy Management Program with user guide;
  • Documentation depository (of legal bases, applicable data subject rights, relevant agreements and others);
  • Automated dashboard with compliance status;
  • Electronic Inventory Processing;
  • Automated security and risk assessments;
  • Structured data and clauses;
  • Customized plans according to customer needs.

To discover the most relevant features of our platform, contact our team of experts and request a free demo.

About TPO

TPO was founded by Sabine Mersch, a legal privacy professional accredited as a Legal Expert by the European Privacy Seal (EuroPriSe) and as a Certified Information Privacy Professional/Europe by the International Association of Privacy Professionals (IAPP). The company acts as an external data protection officer (DPO) or consultant and provides advice to small, medium and large companies in Europe on GDPR compliance matters.

Back to homepage