GDPR: The General Data Protection Regulation Broken Down

By Maya Heins Published on Apr. 16, 2019

As the world we live in continues to grow more interconnected and the everyday uses of the internet become more and more ingrained in our daily lives, questions and concerns arise about how the data about our online activities is collected and used.

In order to respond to this, the European Union (EU) has created a legal framework that establishes guidelines for how data collection and processing is managed for individuals residing in the EU. 

Known as the General Data Protection Regulation (GDPR), it was approved in April 2016, and came into full effect across the EU on May 25, 2018. It replaces the original Data Protection Directive, and is comprised of various elements that try to realize the goal of standardization of data privacy regulations across Europe. While GDPR compliance and enforcement processes are still being fully developed, and its full effects are not yet completely understood, the most important elements of GDPR include:

Broader territorial scope

These regulations apply to all companies processing the personal data of persons residing within the EU, regardless of where the processing takes place.


Stronger consent requirements, including easily accessible and understandable requests, the purpose of the data processing must be attached to consent, and consent must be easy to withdraw. 

Increased individual’s rights

Right of access

Individuals have been given the express right to know whether or not their personal data is being processed and/or stored, where, and for what purpose. 

Right to be forgotten

Individuals now have the right to have their personal data be erased and/or stop processing of their data. 

This is possible when the data is no longer pertinent to the original intent of the processing or when an individual withdraws consent.

Right to rectification

Incorrect data must be amended. 

Right to data portability

Copies of what personal data is being processed must be provided free of charge to an individual upon request. 

Privacy by design

Encryption and monitoring systems to protect data must be included in the designing of systems.

It is now prohibited to use data for reasons other than the original stated purpose.

Data should only be stored when absolutely necessary, and extra data should not be collected.

Breach notification

Data breaches must be reported within 72 hours.

Data Protection Officers (DPOs)

In the case where data processing requires routine monitoring of data subjects on a large scale or data relating to criminal convictions and offences, a DPO must be appointed to ensure GDPR compliance.


Companies who are found to be out of compliance of GDPR can face fines of up to 4% of annual global turnover or €20 Million (whatever is greater).

This applies to both data controllers (the party that has collected and controls/ owns the data) and processors (the party that processes data for the data controller), so no one is exempt from these guidelines. 

There are several parties who are greatly affected by GDPR regulations. On the one hand, data controllers and data processors are under stricter guidelines to ensure the privacy of the data that they handle. On the other hand, these regulations also have important consequences for EU & Global businesses. 

EU companies that have more than 250 employees, are required to keep more detailed records in order to achieve GDPR compliance. 

For those with less than 250 employees, unless they work directly with personal data processing or data that pertains to criminal activities, they are not required to hold such detailed internal records. 

For global businesses, these regulations are important because they apply to all data processing of EU residents regardless of where an organization is located.  This means that internationally located companies must still obtain GDPR compliance if they process data from persons located in the EU, or face consequences.

Finally, to take a quick look at what kind of solutions exist to help with the transition of this regulatory change and to ensure GDPR compliance, we will look at overviews of four different solutions.

Solutions to help you ensure GDPR compliance

Trew Knowledge

Trew Knowledge is a plugin offered by WordPress, it easily allows websites the ability to offer privacy management for Cookies, rights to erasure, double opt-in confirmation emails, right to access through an admin dashboard, as well as various other features. 

AvePoint Privacy Impact Assessment (APIA) System

AvePoint Privacy Impact Assessment is a system that automates the GDPR assessment and evaluation process for companies. It does this through end-user reporting on access to site traffic, identification of suspicious activity, virtual machine backups, and content archiving approval, among others. 

Guided GDPR Task Management Solution From Ecomply:

Ecomply provides a GDPR assessment of a company, and then creates an easy to understand guide with how to reach GDPR compliance, including tools and reports.  

GDPR related services from Deloitte

They offer to review a company’s processing activities and give their results in a  report, which includes a preparation plan, development of a data protection scheme, a privacy impact assessment, evaluation of data protection agreements, protection training, implementation of internal data protection programs, and they will perform the duties of DPO for a company.

Data processing and the privacy of online activities is a rising concern in today’s world, as we continue to become more interconnected in our everyday activities. GDPR is an important step in the standardization of data privacy regulations in Europe. This legislative framework is important for not only our personal protection, but has important consequences for companies and employees all over the world. As organizations strive to become and remain GDPR compliant, the conversation about privacy and data rights of individuals is brought to the forefront of debate. Although, complex regulations are only a part of this conversation, how the world responds to GDPR is going to have an important impact on the future of global data processing.

Our sources for this article:

At Plug and Play’s Fintech accelerator we’re specialized in matching the best startups with the largest corporations.

The result? Innovation at its best. Join our platform today.

Read the rest of the collection.

GDPR, PSD2 and MiFID I/II: A good starting point for everyone in the financial system in Europe

Find out more