GDPR: The definitive guide

The seven principles of the GDPR

The GDPR outlines seven principles for sensitive data protection, defining how data controllers should collect, use, and safeguard personal information.

1. 1.

   Lawfulness, fairness, and transparency. Organizations must ensure their data processing is legal, clear, and serves the consumer's interests.

2. 2.

   Purpose limitation. Organizations must define the purpose for collecting personal data and retain it only as long as necessary to fulfill that purpose.

3. 3.

   Data minimization. Companies should only collect relevant and adequate data for the intended purpose.

4. 4.

   Accuracy. Personal data must be accurate, and any incorrect or irrelevant data should be corrected or deleted.

5. 5.

   Storage limitation. Companies can only keep personal data for as long as needed to achieve the processing purpose.

6. 6.

   Integrity and confidentiality. Data controllers must ensure proper data security, while processors must protect personal data from unauthorized use or loss.

7. 7.

   Accountability. Data processors must demonstrate compliance with GDPR principles, and controllers must prove they process personal data legally.

These seven principles are key to handling personal data safely and responsibly. By following them, organizations can build trust, reduce risks, and protect people’s privacy. Following the GDPR helps prevent security problems and promotes transparency and accountability, leading to better data protection for everyone in the EU.

GDPR non-compliance fines

Organizations that don't comply with the GDPR may face fines and other penalties, depending on the severity of the violation and the organization's size and resources. The GDPR defines two levels of fines for non-compliance:

• Minor violations. These include issues like failing to keep records of processing activities or not appointing a data protection officer. Fines can be up to €10 million or 2% of the organization's global annual revenue, whichever is higher.

• Severe violations. These involve more serious breaches, like processing personal data without legal grounds or not reporting a data breach. Fines can be up to €20 million or 4% of global annual revenue, whichever is higher.

Companies may also face other penalties, such as having their data processing operations suspended or being permanently banned from processing personal data.

The right to be informed

The GDPR gives you the right to be informed about how companies collect and use your personal data, including how long they’ll keep your data and who can access it.

The right of access

Under the GDPR’s right of access, you can view the personal data an organization holds about you, including its purpose and how it is stored and processed.

The right to rectification

The GDPR gives you the right to rectification, meaning you can ask an organization to correct any inaccurate or incomplete personal data about you.

The right to erasure

Thanks to the GDPR’s right to erasure, you can ask an organization to delete your personal data, unless it’s needed for legal purposes.

The right to restrict processing

Under the GDPR’s right to restrict processing, you can request that an organization limit how your data is used or processed in specific circumstances.

The right to data portability

The GDPR’s right to data portability enables you to transfer your personal data to another organization in a format that’s easy to use and machine-readable.

The right to object

You can exercise the GDPR’s right to object, meaning you have the ability to refuse how your data is used, particularly for direct marketing or research purposes.

The right not to be subject to automated decision-making

The GDPR also gives you the right to ask that decisions about you be made by a human rather than automated systems.