Your definitive guide to the GDPR

The GDPR or General Data Protection Regulation governs data privacy across the EU. It is one of the most strict data protection laws in the world and breaches can lead to significant fines. This guide explains the basic principles of the GDPR and is designed to help startups and scale ups get to grips with this complex legislation.

Scope of the GDPR

The GDPR has a very broad definition for personal data. Basically, any data that is able to be linked to an individual EU resident is covered. The official definition is:

… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Let’s unpick that definition.

• The GDPR only relates to natural people. In other words, data relating to companies, organisations, or other entities is not in scope.
• The data is only covered if it relates to a living person: once you die, your data is no longer protected.
• The data must be identifiable: if you can remove all possibility of identification, the data is no longer protected (this is called anonymisation).
• Identifiers include direct identifiers (names, ID card numbers, IP addresses), and indirect identifiers (location history, age if it lets you be singled out from a group). Moreover, a combination of factors might count as an identifier.

Importantly, the GDPR applies based on where you live. Any resident of the EU is protected under the GDPR. But EU citizens who reside outside the EU aren’t protected.

Special categories of data

Certain categories of data receive additional strict protections. These are data that are viewed as potentially more sensitive. This data covers:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning health
• Data concerning a natural person’s sex life or sexual orientation

By default, you are not allowed to process this data. If you want to process any of this data, you need to fit into one of the defined legal bases to do so (see below).

Key GDPR terminology

The GDPR defined a number of important terms. The key ones you should know are listed here. You can find more in our GDPR Glossary.

• Data processing. The GDPR has an extremely broad definition of data processing that covers all actions relating to the data. That means creation, alteration, accessing, transferring, or deleting the data in whatever form it might exist.
• Data controller. The data controller is the entity that is responsible for deciding why to collect the personal data, and for ensuring it is done so in accordance with the requirements of the GDPR.
• Data processor. A data processor works on behalf of the data controller. They perform defined data processing tasks in accordance with the DPA (data processing agreement) they sign with the controller.
• Legal basis. In order to process personal data, the data controller must establish a suitable legal basis. These are defined in Article 6 (normal data) and Article 9 (special category data). For more on this, read our in-depth guide.

If you are in the digital health space, this may be useful for you

Data subject rights

The GDPR grants a number of important rights to data subjects. It is essential that you bear these in mind when designing and building your systems. We have a detailed guide here.

• Right to be informed. The data controller must inform you why and how they will use your personal data. This is usually done via a privacy notice.
• Right to access your data. You can request a copy of all the data an organisation holds about you. This must be provided within 30 days.
• Right to rectification. You can require an organisation to correct any errors in the data they hold about you. They must comply in a reasonable time.
• Right to be forgotten. You can request that an organisation permanently deletes some or all of your data. They must comply and must also delete this data from any backups.
• Right to restriction of processing. You can ask for specific restrictions on the use of your data. For instance, asking that a doctor doesn’t share certain details of your treatment with others.
• Right of data portability. You have a right to receive a full copy of your data in a format that makes it easy to transfer to an alternative provider.
• Right to object. You can object to an organisation processing your data for certain purposes if they are relying on public interest/official capacity or legitimate interest as the legal basis. This is what Meta is currently asking people to do if they wish to object to their data being used for AI model training.
• Rights in relation to automated decision making and profiling. If an important decision is being made in a purely automated manner, you can request that a human checks the decision.

Note that there are special circumstances where some these rights don’t apply. For instance, often medical records are required by law to be kept for a certain period, even if a person requests that they are deleted.

Data transfers

The GDPR imposes rules on transfers of personal data outside the EU. Transfers are only allowed in cases where the European Commission has ruled that the data will receive the same protections as in the EU. If a so-called “Adequacy Decision” exists, then you are allowed to transfer the data freely. In some cases, the adequacy decision is based on the alignment of the national laws with GDPR (for instance, the UK). But in the case of the US it relies on an additional treaty

Alternatively, you can rely on a different mechanism known as Standard Contractual Clauses. These pre-defined clauses have been approved by the European Commission as ensuring a suitable level of protection for any data transfer. They impose a number of legally-binding requirements on the non-EU processor receiving the data.

Important GDPR documents

There are several key documents that allow you to demonstrate you are complying with the requirements of GDPR.

• Data protection impact assessment (DPIA). This is a specialised risk assessment focused on data protection and privacy. It is used to ensure that your organisation, products, or services are compliant with the privacy by design and by default principles of the GDPR.
• Data processing agreement (DPA). This is a formal legal contract between data controllers and data processors. It sets out exactly how the
• Privacy Notice. A privacy notice is a simple-to-understand document that sets out details of how a company or organisation processed personal data.
• Privacy Policy. If your company handles personal data you should also have a privacy policy, which is a detailed internal document explaining exactly how you handle personal data as a company.

GDPR enforcement and fines

The GDPR is enforced by data protection authorities in each EU country. The legislation allows for extremely high fines of up to 4% of global turnover. It also allows additional enforcement actions such as ordering a company to stop processing data. Fines can be imposed for a number of reasons including:

• Insufficient legal basis for processing the data
• Issues related to data subject rights, such as a failure to delete data when asked
• Insufficient technical or organisational measures to protect the data (typically imposed after a data breach)
• Accidental data breaches, such as losing an unsecured USB drive with medical data

Many fines are also imposed for a much more general reason such as “non-compliance with general data processing principles”. To date, the largest fine was €1.2 billion imposed on Meta Ireland.

If you operate in more than one EU state it’s worth knowing that there is a mechanism for determining which DPA prosecutes GDPR breaches. New legislation is currently in progress that will improve cooperation between DPAs when dealing with cross-border GDPR enforcement cases.

Need help figuring it out? We’re here to help!

Chino.io works as your partner to help you solve all privacy, security, and compliance issues. Our unique combination of regulatory expertise, legal know-how, and technical experience helps eliminate compliance risks while saving you money and time.

Book a call with our experts to learn how we can help you deliver compliant-by-design innovation.