GDPR for dummies

GDPR 

FOR 

Everything you need to know 

DUMMIES

1. 

What is GDPR?

What is the purpose? 

Who is concerned? 

⇒ Better protect the 

personal data of 

European Union 

“data subjects” – EU 

citizens and other 

nationals physically 

present in the EU. 

Any business or 

organization that offers 

services to EU data 

subjects, or that collects, 

processes or stores the 

data of EU data subjects

General Data Protection Regulation 

“GDPR” 

The timeline 

● 

● 

● 

2016: GDPR agreed 

2016 - 2018: Preparation 

25 th May 2018: GDPR came into effect.

2. 

What is Personal 

Data under 

GDPR?

What is personal data ? 

Piece of 

Vestibulum congue 

information 

tempus 

that contains 

an “identifier” 

Lorem ipsum dolor sit 

amet, consectetur 

adipiscing elit, sed do 

eiusmod tempor. 

Piece of 


information 

tempus 

Lorem ipsum dolor sit 

that amet, consectetur pertains 

adipiscing elit, sed do 

to eiusmod a person 

tempor. 

Vestibulum congue tempus 

Personal data 

Lorem ipsum dolor sit amet, consectetur 

adipiscing elit, sed do eiusmod tempor. Ipsum 

dolor sit amet elit, sed do eiusmod tempor.

GDPR personal data can be: 

▸ Names 

▸ Date of birth 

▸ Telephone numbers 

▸ Addresses 

▸ Bank details 

▸ Opinions 

▸ Passport numbers 

▸ Location data 

▸ Audio/visual recordings of the individuals 

So-called “anonymous” data does not need protection by data 

security laws

Most data protection laws consider maintaining data 

longer than necessary a breach of privacy 

Those storing data must carefully consider how to safely 

dispose of it once it has served the purpose it was 

collected for.

3. 

Sensitive data

What is sensitive data? 

Examples 

➢ Particular pieces of 

information that make 

individuals especially 

vulnerable. 

➢ Requires greater levels of 

protection 

➢ Requires extra levels of 

checks and justification 

➢ Race or ethnicity 

➢ Religious or spiritual 

beliefs 

➢ Political or philosophical 

leanings 

➢ Trade union alliances 

➢ Biological/genetic data 

➢ Medical data 

➢ Sexuality/gender identity

4. 

Who’s involved 

in GDPR policy ?

“The Vestibulum controller” congue 



“The processors” 


“Data subjects”


“The controller” 

Government agency or 

organization (public or 

private) that initiates the 

collection and processing 

of personal data. 

They are also the ones who 

use it and, if necessary, 

share it.

Usually IT companies or 

third-party marketing 

companies. 



“The processors” 

“Data processor” can also 

relate to any software used 

to process data. 

In many circumstances, the 

same organization can be both 

a data controller and a data 

processor.

People whose personal 

information is being used 

and processed by the 

controllers and processors. 



“The “Data processors” subjects” 

These individuals retain the 

right to access, correct or 

request the removal of 

information collected about 

them. 

GDPR also gives the 

data subject the right to 

portability

5. 

What is GDPR 

Data Processing?

Exceptions to GDPR 

Member states may apply 

for specific exemptions 

If an individual poses a threat to the 

rights and freedoms of others, their 

data is often no longer protected 

under GDPR

Examples of when personal data 

may no longer be treated 

● 

● 

● 

● 

● 

● 

● 

Defense concerns 

Crime prevention 

Financial security 

Prosecution of a crime 

Suspected tax evasion 

Public health concerns 

Freedom of information

6. 

Where will the 

GDPR Apply?


Data must be protected in line with EU 

standards for all its citizens, 

regardless of where the data itself is.

7. 

What about 

BREXIT and GDPR?

It is very likely that the UK’s new Data 

Protection Laws will take the same shape 

as GDPR. 

This is, in part, to facilitate the fact that 

many UK organizations will work with the 

data of EU data subjects.

8. 

GDPR in the 

United States

The EU-US Privacy Shield Framework 

Adopted in 2016 

Allows private data to be transferred outside of the EU if 

the recipient organization is certified by the US 

Department of Commerce or the EU Supervisory Authority. 

US organizations must certify they have “adequate 

safeguards” to protect data and must conduct an annual 

review to self-certify that they are compliant.

9. 

“GDPR right to 

be forgotten” 

and 

“GDPR right to 

be informed”

“right to be 

forgotten” 

Those who hold an 

individual’s personal 

data must delete it upon 

request if: 

“right to be 

informed” 

Data subjects must 

receive information from 

the controller about: 

● 

● 

● 

● 

The data has lost its relevance 

The subject withdraws consent 

The subject objects to the 

processing of the data 

The data was unlawfully 

processed 

● 

● 

● 

● 

What information is collected 

What and how it’s stored 

How it’s being used 

Any change whilst the data is 

still in the controller’s 

possession

10. 

What are the 

GDPR Penalties for 

Non-Compliance?

As part of the original Directive on privacy, each member 

state can establish its own regime for penalties. 

Maximum penalty : 

£500,000 

Maximum penalty : 

€150,000 

GDPR will standardise the penalty scheme. Now, 

the maximum penalty will be €20 million, or 4% 

of a company’s annual net worth.

11. 

What are the GDPR 

Privacy Principles?

01 

02 

03 

04 

05 

06 

07 

Notification 

Lawfulness 

Limits 

Security 

Accountability 

Downstream 

Protection 

Access and Rights 

Clear information how the data 

is being used 

Consent or clear legal basis needed 

for sharing data 

Personal data only be disclosed 

when necessary 

Reasonable measures are employed 

to protect the data. 

The controller and the processors 

must comply with GDPR 

Any party with which the information 

was shared must adhere to privacy 

legislation. 

The individual has the right to 

access and use his personal data 

Individual must be warned of the 

08 Breach Notification 

breach notification within 72 hours.

12. 

What are Some 

Best Practices to 

Ensure Data 

Remains 

Protected?

1 

Clear desk policy 

Before any employee leaves his or her workstation: 

▸ No materials describing private data are left on the desk 

▸ Computers should be locked or logged off 

▸ Any other electronic devices should be stored away or 

taken with the individual

2 

Password security 

Passwords: 

▸ Should be long 

▸ Should containing a mix of 

lower- and upper-case 

letters, numbers and special 

characters 

It is imperative no 

passwords are 

written down, and 

if they are, they 

should be kept well 

away from the 

computer that they 

unlock 

▸ Should not be words

3 

Practice secure storage 

▸ Any material that contains a person’s 

personal private information must be 

stored in a secure manner. 

▸ If it is maintained digitally, it must be 

adequately encrypted.

4 

Ensure that mobile devices are 

secure 

The Bring Your Own Device (BYOD) policies 

increase the risk of information theft. 

Devices should be adequately secured and, 

of course, be password-protected.

5 

Ensure secure transmission of 

data 

▸ Private information should not be sent via 

insecure, free email services or via fax. 

▸ Senders of information should doublecheck 

to see if recipients are authorised to 

receive the information.

6 

Secure workplaces from 

unauthorized personnel 

▸ Work stations should be set up to prevent 

unauthorized visitors from seeing computer 

monitors 

▸ Ensure that any files open on a desk are not 

readable by unauthorized passer-by’s.

7 

Secure disposal of data 

▸ Ensure that all protected data has been 

properly removed from DVDs, USB 

drives, mobile devices before disposal 

▸ Hard copies of such data must be finely 

shredded

8 

Reporting breaches 

▸ The breach notification must be done within 72 

hours 

▸ The organization must report the breach to the 

EU Regulator 

▸ Reports should be made if there has been a 

suspected, but unconfirmed, breach of data.

13. 

How to be 

GDPR-Compliant

How to be GDPR-Compliant in 7 steps 

Step 1 

Step 2 

Step 3 

Step 4 

Step 5 

Step 6 

Step 7 

Ensure 

privacy is a 

top priority for 

the 

organization 

Ensure 

accountability 

within the 

organization 

Ensure that 

data is 

properly 

processed 

Ensure 

third 

parties also 

adhere to 


Ensure the 

rights of 

the data 

subject are 

met 

Ensure to 

account 

for all 

possible 

risks 

Ensure 

there are 

procedures 

for dealing 

with data 

breaches in 

place.

14. 

GDPR Guide for 

Dummies: 

Conclusion


states 

How data should be obtained 

How data should be processed 

How data should be stored

Businesses and organizations 

operating outside the European 

Economic Area (EEA) 

Data subject to GDPR can only be shared 

with businesses and organizations in non- 

EU countries that have an adequacy 

agreement in place.


Compliant 

Compliance 

of third 

parties 

Compliance 

of 

operations

It is recommended businesses 

conduct a compliance audit 

and discuss their current level 

of data security with a GDPR 

Compliance Consultant.


FOR 

You now know everything! 

DUMMIES 

Find more information about GDPR here: 

https://www.hipaaguide.net/gdpr-for-dummies/

GDPR for dummies

Create successful ePaper yourself

Delete template?

Save as template?