GDPR for Dummies

The General Data Protection Regulation (GDPR) is a complex piece of data privacy legislation from Europe that affects — and, in my experience, may confuse — millions of businesses, big and small, worldwide.

I created this GDPR for Dummies guide to explain everything there is to know about the GDPR in easy-to-understand language.

Below, you’ll get a beginner’s explanation of the GDPR, who it applies to and protects, and what steps you need to take to set your business up for full compliance.

You can comply with the GDPR right now by using Termly’s free Privacy Policy Generator and Consent Management Platform.

  1. Key Takeaways: GDPR Explained in Under 5 Minutes
  2. The GDPR Explained for Beginners
  3. How Does the GDPR Affect Internet Users?
  4. How Does the GDPR Affect Businesses?
  5. Quick GDPR Checklist for Dummies: The Do's and Don'ts
  6. Dummies Guide to the GDPR [Infographic]
  7. GDPR for Dummies FAQ
  8. How Can Termly Help You Comply With the GDPR?
  9. Summary

Key Takeaways: GDPR Explained in Under 5 Minutes

I don’t think businesses should always have to rely on a lawyer to comprehend the basic requirements to comply with the GDPR, so I’ve explained the key takeaways from the regulation in easy-to-understand language for you below:

The list above is a good place to start for understanding the GDPR, but we really should discuss a few important parts of the Regulation in more detail.

So keep reading, and I’ll cover those vital little nuances throughout the rest of this simplified GDPR guide. Let’s go!

The GDPR Explained for Beginners

Next up in my GDPR for dummies guide, I’ll cover the basics of the GDPR, like what it is, why we need it, and how it defines specific essential phrases related to personal information and data processing.

What Is the GDPR?

The GDPR is an acronym for the General Data Protection Regulation and is a piece of European legislation that protects personal information. It outlines several requirements businesses must follow to process that data legally.

Although passed in the EU, it affects businesses worldwide and introduced the concept of Privacy by Design (PbD).

This privacy approach involves keeping data collection to a minimum and building security measures from the inception of the processing activity to prevent data leaks and breaches at all stages of the processing of personal information.

The GDPR follows seven principles of data protection:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (aka, security)
  7. Accountability

It went into effect on May 25, 2018, and set new standards for data privacy and security, kickstarting a wave of global privacy laws that forever changed how consumers and businesses alike use the Internet.

Why Do We Need the GDPR?

We need laws like the GDPR because people have the right to know about and have some control over what information gets collected about them and how it’s further used, or who it gets shared with. That includes you, me, and anyone else using the Internet.

Personal data is highly valuable — it supports a trillion-dollar industry.

Nowadays, numerous companies make a portion of their profits by selling personal information to advertisers. Regulations like the GDPR create a privacy framework for companies of all sizes by creating rules about what they can and can’t do with your personal information.

Knowing how this key piece of legislation works and what your potential rights are helps you maintain more control over your life both online and offline.

Who Does the GDPR Protect?

The GDPR protects the personal information of any person within the EU or EEA and refers to them as data subjects.

The EU Member States are:

The EFTA (European Free Trade Association) countries who are part of the EEA (European Economic Area) are:

The individual’s physical location is the only factor taken into account by the Regulation — it applies regardless of nationality or citizenship status.

What Businesses Must Follow the GDPR Requirements?

The GDPR applies to any business established in the EU/EEA, irrespective of whether the processing occurs within or outside the EU/EEA.

It also applies to businesses not established in the EU/EEA that process personal information and either:

  1. Offers goods or services that are available to data subjects within the EU or EEA (irrespective of whether a payment of the data subject is required) or
  2. Monitors the behavior of data subjects within the EU or EEA

The above means companies located in any part of the world may fall under the legal scope of the GDPR.

However, if your business is not established in the EU/EEA and any goods or services provided by you are unavailable to individuals in the EU/EEA, and you don’t process data from anyone in the EU/EEA, you don’t need to follow the GDPR.

GDPR Definitions for Dummies

In the table below, I provided simplified versions of the specific legal definitions of important words as they appear in the text of the GDPR to help you determine if your business needs to follow the regulation.

Word Definition for Dummies Legal Definition as it appears in the GDPR (Chapter 1, Article 4)
Personal Data Information that can identify a natural person (aka data subject), either directly or indirectly, such as:

Is your business the one that decides why and how the personal data is processed?

Does your business receive clear instructions regarding why and how the personal data shall be processed?

What Are the Penalties for Violating the GDPR?

I’ll keep this section short and sweet. Depending on the type of infringement, businesses that violate the GDPR may receive fines of up to:

The Regulation is enforced by different Data Protection Authorities (DPAs) located in the EU/EEA countries.

Like a data privacy sheriff, they enforce and supervise the application of the GDPR and relevant national laws in their country, provide expert advice on data protection issues, handle complaints lodged against violations of the law, and can even hand out hefty fines.

Nomination of a DPO (Data Protection Officer)

Entities (irrespective of whether they act as controllers or processors) that process special categories of personal data or monitor the behavior of individuals on a large scale as their core activities must appoint a data protection officer (DPO) to:

Even when a business may not be obliged to appoint a DPO under the GDPR, appointing one is still recommended as a best practice.

How Does the GDPR Affect Internet Users?

The GDPR affects Internet users based in the EU/EEA by granting them specific rights and control over when and how their personal data is processed.

Data subjects protected by the GDPR have the right to:

You can read more about the rights granted to data subjects in Chapter 3 of the GDPR.

How Does the GDPR Affect Businesses?

The GDPR outlines several business requirements you must follow (depending on whether you act as a controller or processor) to legally process personal information, which I cover briefly in the following sections.

Determine Your Legal Basis

According to the GDPR, your business must have a legal basis for processing each category of personal data from data subjects, so determine what these look like for your business.

The legally-sound reasons for data processing are explained in Chapter 2, Article 6 of the regulation and include:

Data Protection Impact Assessments (DPIAs)

If a company’s data processing activities are likely to pose a high risk to people’s fundamental rights and freedoms, they must fill out a DPIA following Chapter 4, Article 35.

Examples of high-risk processing activities include:

Consent and the GDPR

Many businesses under the GDPR rely on obtaining user consent to process personal information legally. If you choose to do this, you must meet precise requirements.

The GDPR defines consent as:

“… freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signified agreement to the processing of personal data relating to him or her…”

Simply put, the data subjects concerned by your data processing must know what they agree to and freely give consent by taking an affirmative action, like selecting a checkbox or clicking a clearly marked ‘Agree’ button.

The GDPR also explains several conditions for consent in Chapter 2, Article 7, so ensure you’re meeting all of these additional requirements:

Most businesses use a consent banner with links to their cookie usage or personal data collection to obtain appropriate opt-in consent under the GDPR.

Termly’s GDPR-compliant Consent Management Platform helps you meet all of the additional consent requirements.

GDPR Privacy and Cookie Policy Requirements for Businesses

Your business needs an accurate, GDPR-compliant privacy policy and cookie policy so data subjects can understand the data processing activities performed by your business properly under the GDPR.

According to Chapter 3, Article 13 of the GDPR, businesses must present the following information to data subjects at the points where the personal data is obtained:

The Regulation also gives data subjects the right to obtain confirmation from the controller as to whether or not their personal data is processed and, if that is the case, to access the personal data collected about them.

Chapter 3, Article 15 states that controllers must inform the data subjects concerned all of the following details:

GDPR-compliant DSAR Forms

To ensure that your users protected by the GDPR can easily follow through on their rights, provide them with a Data Subject Access Request (DSAR) form on your website.

A DSAR form creates a straightforward, simple process for your users who want to delete, amend, or access their information.

Using Termly’s CMP provides you with a free DSAR form to adequately handle any requests from your data subjects. See an example of its configuration setting below.

Termly-DSAR-form

You’ll then get an embeddable form to link to your website that looks like the screenshot below.

Termly-DSAR-form-embeddable-form

Data Processing Agreements Under the GDPR

If another company helps you process your users’ personal information, you must create a contract that follows specific requirements, as explained in Chapter 4, Article 28 of the GDPR.

You and the third party must sign the contract, often called a Data Processing Agreement (DPA). It must include all of the following details regarding the third-party processor:

GDPR Data Safety and Security Requirements

The GDPR requires businesses to securely store the personal data they process and protect it from cybercrimes like data leaks or breaches.

It’s up to you what safety measures you put into place, but the Regulation suggests taking the following actions in Chapter 4, Article 32:

It is recommended to assess the technical and organizational measures intended to continuously safeguard personal data (for example, once a year or in case of a specific incident or breach). Special attention shall be given to the following risks that are associated with the processing of personal data:

If a data breach occurs and any of the above risks materialize, you have 72 hours to inform the relevant data protection authority from the moment you become aware of the breach.

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the latter must be informed about the cybercrime as quickly as possible.

Quick GDPR Checklist for Dummies: The Do’s and Don’ts

To help simplify the GDPR even further, I’ve created two lists for you, one featuring the GDPR Dos and another featuring the GDPR Don’ts.

The GDPR Do’s

If your business falls under the scope of the GDPR, amongst others, you must do all of the following:

The GDPR Don’ts

Now that you know what to do if your business falls under the GDPR, take a look at a list of what not to do:

Dummies Guide to the GDPR [Infographic]

Good news: We’ve compiled the essential parts of this GDPR guide for dummies into an easily shareable infographic. Check it out below!

Download the GDPR for Dummies Inforgraphic using the link below:

When it comes to respecting data privacy laws and user rights, we’re all in this together — so feel free to share this guide and infographic with others if you find it helpful.

GDPR for Dummies FAQ

I love talking about data privacy compliance and the GDPR. So, below, read through some answers to the most frequently asked questions we get about the GDPR.

What does GDPR stand for?

The GDPR is an acronym for the General Data Protection Regulation.

What is the GDPR in simple words?

The GDPR is a data privacy regulation from Europe that describes the rights individuals based in the EU/EEA have over their personal information processed by businesses (or natural persons outside of their personal use) and explains what guidelines businesses worldwide must follow to process their personal data legally.

What are the seven principles of the GDPR?

The seven principles of the GDPR, as described in Chapter 2, Article 5, are:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (aka, security)
  7. Accountability

Who does the GDPR apply to?

The GDPR applies to any processing of personal data by a controller or processor established in the EU/EEA, irrespective of whether the processing itself takes place outside of the EEA.

The GDPR also applies to the processing of personal data by a controller or processor that is established outside of the EU/EEA but who processes the personal data of natural persons in the EU/EEA and meets either of the following conditions:

Who does the GDPR protect?

The GDPR protects natural persons who are present within the European Union (EU) or the European Economic Area (EEA).

Do I need to comply with the GDPR if my business is in the US?

Yes, you need to comply with the GDPR if your business is in the US and you process personal information and meet either of the following requirements:

How Can Termly Help You Comply With the GDPR?

Termly offers policy generators and consent management solutions backed by our team of lawyers and data privacy experts that can help your business fully comply with the GDPR and several other data privacy laws worldwide.

We make legal compliance easy and affordable so you can remain focused on the things that matter most, like your business and customers.

Our free Privacy Policy Generator follows all requirements outlined by the GDPR — all you need to do is answer simple questions about your business. It creates a properly formatted, compliant policy for you.

See what it looks like in the screenshot below.

Termly-privacy-policy-generator

We also offer a Consent Management Platform equipped with regional support settings so you can configure a GDPR-compliant consent banner that appears for all of your EU/EEA users and adequately obtains and tracks their consent choices following the regulation.

In the screenshot below, you can see an example of the settings for our consent banner.

Termly-Consent-Management-Platform-CMP

We’re your all-in-one compliance solution, and our tools help small to medium-sized businesses around the globe remain up-to-date with laws like the GDPR and more.

Summary

The GDPR changed the scope of data privacy forever and has affected businesses worldwide.

But with this guide and Termly in your toolbox, you’re ready to set your website up for full compliance without any hassles, confusion, and expensive legal fees.

Remember, to comply with this regulation, you’ll need:

For more in-depth help with the GDPR, check out these valuable resources:

Teodor Stanciu, CIPP/E, CIPM

More about the author

Written by Teodor Stanciu, CIPP/E, CIPM

Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium. Teo is a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP).