What Is GDPR and Why It Matters
GDPR (General Data Protection Regulation) is the European regulation that protects the personal data of EU citizens. Entered into force in May 2018, it fundamentally changed how companies collect, process, and store personal data.
Why GDPR Affects Any Business
Applies if:
- You have customers or users from the EU
- You process EU citizens' data
- You have a presence in the EU (physical or digital)
- You offer goods/services to the EU
- Where your company is headquartered
- Business size
- Whether it's B2B or B2C
- €4.5 billion in GDPR fines since implementation
- €1.2 billion largest fine (Meta, 2023)
- 91% of companies have modified data practices
- 84% of consumers are more privacy-conscious
- 88% prefer companies transparent with data
- Average breach cost: €4.45 million
- Legal basis for processing
- Don't deceive users
- Clearly inform what you do with data
- Collect only for specific purposes
- Don't use for anything else without consent
- Collect only what's strictly necessary
- Not "just in case"
- Correct and up-to-date data
- Correction mechanisms
- Don't keep longer than necessary
- Clear retention policies
- Adequate security
- Protection against breaches
- You can demonstrate compliance
- Documentation and evidence
- Freely given: Not conditioned on service
- Specific: For each purpose separately
- Informed: Knows what they're accepting
- Unambiguous: Clear action (unchecked checkbox)
- Withdrawable: Easy to withdraw
- ❌ Pre-checked checkboxes
- ❌ "By continuing, you agree..."
- ❌ Generic consent for everything
- ❌ Bundled consent (all or nothing)
- Executing a contract with the person
- Pre-contractual steps at the person's request
- Your identity (controller)
- DPO contact details (if applicable)
- Processing purpose
- Legal basis
- Data recipients
- Transfer outside EU
- Retention period
- Person's rights
- Right to withdraw consent
- Right to complain to authority
- Confirmation that you process their data
- A copy of all data
- Information about processing
- Data is no longer necessary
- Consent has been withdrawn
- Person objects and no legitimate grounds exist
- Processing was unlawful
- Legal obligation to delete
- Freedom of expression
- Legal obligations
- Public interest
- Scientific/historical research
- Establishment/exercise of legal claims
- Contesting data accuracy
- Processing is unlawful but doesn't want erasure
- You no longer need it but person wants it for legal claims
- Has objected to processing (pending verification)
- Processing based on consent or contract
- Automated processing
- Controller identity
- DPO contact
- What data you collect
- Why you collect it (purposes)
- Legal basis
- Who you share with
- International transfer
- How long you keep it
- User rights
- How they can exercise rights
- Right to complain
- Profiling and automated decisions
- Clear language, not legal jargon
- Structured in sections
- Easy to find
- Regularly updated
- Versions for different audiences
- Clear option to accept OR refuse
- Reject as easy as Accept
- Granular settings by category
- Doesn't block access before choice
- Doesn't use dark patterns
- [ ] Checkboxes unchecked by default
- [ ] Each purpose with separate checkbox
- [ ] Link to privacy policy
- [ ] Clear language about what they'll receive
- [ ] Explanation how they can unsubscribe
- Data encryption (at rest and in transit)
- Access control (principle of least privilege)
- Backup and recovery
- Logging and monitoring
- Patch management
- Firewall and network protection
- Documented policies and procedures
- Employee training
- NDAs with vendors
- Regular risk assessments
- Incident response plans
- Subject and duration of processing
- Nature and purpose
- Type of data
- Processor obligations
- Assistance in exercising rights
- Security
- Sub-contractors
- Audit rights
- Deletion/return at end
- You have over 250 employees OR
- Processing is not occasional OR
- You process sensitive data OR
- You process criminal data
- Data categories
- Purposes
- Categories of data subjects
- Categories of recipients
- International transfers
- Deletion deadlines
- Security measures
- Systematic evaluation (profiling)
- Large-scale sensitive data processing
- Systematic monitoring of public areas
- Anything that could result in high risk
- Public authorities
- Large-scale systematic monitoring
- Large-scale sensitive data processing
- Information and advice
- Compliance monitoring
- Cooperation with authority
- Point of contact
- Destruction
- Loss
- Alteration
- Unauthorized disclosure
- Unauthorized access
- Nature of breach
- Categories and number of people
- Categories and number of records
- DPO contact
- Likely consequences
- Measures taken/proposed
- You've taken measures making data unintelligible (encryption)
- You've eliminated the risk
- Would require disproportionate effort (public announcement instead)
- What happened
- What data is affected
- Who is affected
- Severity
- Stop the breach
- Prevent additional damage
- Authority (72h)
- Individuals (if high risk)
- All breaches, not just notified ones
- Facts, effects, measures
- Fix the vulnerability
- Improve controls
- Update procedures
- €10 million OR
- 2% of annual global turnover
- Controller/processor obligations
- Certification body obligations
- Monitoring body obligations
- €20 million OR
- 4% of annual global turnover
- Basic principles
- Individual rights
- International transfers
- Non-compliance with authority order
- Intentional violation
- Lack of measures
- History of violations
- Lack of cooperation
- Sensitive data involved
- Proactive measures
- Cooperation with authority
- Certifications
- Prompt corrective actions
- First violation
- [ ] Inventory of personal data collected
- [ ] Identified legal bases for each processing
- [ ] Assessed DPO necessity
- [ ] Review privacy policy
- [ ] Review cookie policy and consent
- [ ] Verify forms and consent
- [ ] Assess data security
- [ ] Identify processors and necessary DPAs
- [ ] Create ROPA if applicable
- [ ] Breach response plan
- [ ] Regular employee training
- [ ] Periodic policy review
- [ ] Monitor new processing
- [ ] Manage rights requests
- [ ] Update security measures
- [ ] Audit vendors
- [ ] Test breach response plan
- Privacy by design, not afterthought
- Transparency builds trust
- Minimization > excessive collection
- Documentation saves you
Doesn't matter:
GDPR Statistics 2025
Fundamental GDPR Principles
1. Lawfulness, Fairness, Transparency
2. Purpose Limitation
3. Data Minimization
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality
7. Accountability
Legal Bases for Data Processing
1. Consent
Requirements for valid consent:
What is NOT valid consent:
Correct example:
"☐ I want to receive the newsletter with offers and news.
☐ I agree to my data being used for personalization."
2. Contract
When processing is necessary for:
Example: Processing address to deliver an order.
3. Legal Obligation
When the law requires you to process. Example: Keeping invoices for tax authorities.
4. Vital Interests
When necessary to protect someone's life. Example: Medical emergencies.
5. Public Interest
For tasks in the public interest or official authority. Example: Public authorities, research.
6. Legitimate Interest
When you have a legitimate interest that doesn't override the person's rights.
Requires balancing test:
1. What legitimate interest do you have?
2. Is processing necessary for this interest?
3. Do the person's rights override it?
Example: Direct marketing to existing customers (with easy opt-out).
Data Subject Rights
1. Right to Information
Must inform about:
When: At the moment of collection (or within 30 days if not direct).
2. Right of Access
Person can request:
Response deadline: 30 days (can be extended by 60 days for complex requests).
3. Right to Rectification
Right to correct inaccurate or incomplete data. Deadline: Without undue delay.
4. Right to Erasure ("Right to be Forgotten")
Applies when:
Exceptions:
5. Right to Restriction of Processing
Person can request processing limitation when:
6. Right to Data Portability
Right to receive data in a structured format and transfer to another controller.
Conditions:
7. Right to Object
Right to object to processing based on legitimate interest or public interest.
Direct marketing: Absolute right to object, must be respected immediately.
8. Rights Regarding Automated Decisions
Right not to be subject to a decision based solely on automated processing, including profiling, with legal or significant effects.
Implementing GDPR in Practice
Privacy Policy
Must contain:
Best practices:
Cookie Consent
Cookie categories:
1. Strictly necessary: No consent required
2. Functional: User preferences
3. Analytics: Usage statistics
4. Marketing: Tracking and advertising
Correct banner:
Example:
"We use cookies to improve experience. [Accept all] [Settings] [Reject]"
Forms and Consent
Form checklist:
Data Security
Technical measures:
Organizational measures:
Data Processing Agreements (DPA)
When needed:
When a third party processes data on your behalf (processor).
Example: Email marketing provider, cloud hosting, CRM.
Must contain:
Records of Processing Activities (ROPA)
Mandatory if:
Includes:
Data Protection Impact Assessment (DPIA)
Mandatory when:
Contains:
1. Processing description
2. Necessity and proportionality
3. Risks to individuals
4. Mitigation measures
Data Protection Officer (DPO)
Mandatory for:
Responsibilities:
Managing Data Breaches
What Is a Breach
Any security incident leading to:
to personal data.
Authority Notification (ANSPDCP in Romania)
When: Within 72 hours of discovery If: Breach is likely to result in risk to people's rights
What to report:
Notifying Individuals
When: If risk is high
Exceptions:
Breach Response Plan
1. Detection and Assessment
2. Containment
3. Notification
4. Documentation
5. Remediation
Fines and Sanctions
Tier 1 (Less Severe)
Up to:
For:
Tier 2 (Severe)
Up to:
For:
Factors Influencing Fines
Aggravating:
Mitigating:
GDPR Compliance Checklist
Initial Audit
Ongoing
Privacy Trends 2025
1. ePrivacy Regulation
New EU regulation for electronic communications - stricter for cookies and electronic marketing.
2. AI Act and Privacy
Specific requirements for AI systems and personal data.
3. Cross-Border Data Transfers
Post-Schrems II: uncertainty for US-EU transfers, new Standard Contractual Clauses.
4. Children's Privacy
Stricter requirements for minors' data.
5. Privacy by Design
From "nice to have" to mandatory in development.
Conclusion
GDPR isn't just about avoiding fines - it's about building trust with customers in an era where privacy matters more than ever.
Getting started:
1. Audit what data you collect and why
2. Verify legal bases
3. Update privacy policy
4. Implement correct cookie consent
5. Secure data
6. Train your team
7. Document everything
Don't forget:
---
The DGI team offers GDPR consulting and compliance audits for businesses of all sizes. Contact us for a free assessment.