Open in app

Sign in

Write

Sign in

Understanding GDPR

What is GDPR exactly?

Ege Palaz
5 min readDec 21, 2021

GDPR is basically a squad of data protection rules. In this squad, there are rules about how people can access information about themselves, and also limits on which organizations can do what with their data.

Let’s try to understand it together.

The final set of rules was ready after more than four years of negotiations. Both the European Parliament and the European Council has adopted the rules in 2016.

Personal Data

When somebody says GDPR, personal data comes to mind first.

Personal data is any information that relates to an identified person. Also, that person needs to be alive as well. Different pieces of information can also lead to an identification and this can also be considered as personal data.

Any personal data that was de-identified or encrypted but also can be re-identified does also count. If it was changed in a way that the individual is no longer traceable is no longer considered personal data.

Examples of Personal Data

  • a name and surname
  • a home address
  • an email address including name&surname
  • an identification card number
  • location data
  • an Internet Protocol (IP) address
  • a cookie ID

And below, there are examples of non-personal data.

  • a company registration number
  • an email address such as info@company.com
  • anonymized data

We’ve learned all about personal data. There is also sensitive personal data which may include racial or ethnic origin, religious beliefs, political opinions, genetic data, health information, or sexual orientation.

Complying with GDPR

If an organization does process the personal data of people, and if that organization is in the EU, then it must comply with the GDPR.

What does process mean here?

Almost everything. Collecting, storing, or analyzing data counts. Even collecting a person’s eye color counts as processing personal data.

The organization doesn’t have to be connected to the EU, if it processes the personal data of people in the EU, then it must comply. The GDPR is also not limited to for-profit companies.

What are GDPR’s key principles?

  • Lawfulness
  • Fairness &Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage limitation
  • Integrity & Confidentiality
  • Accountability

What are my GDPR rights?

We’ve mentioned organizations that can collect or store data, the legislation is actually created so that GDPR can help and protect people and their data.

It can help people have access to the data companies hold about them, or help people have the data deleted in some cases.

The full GDPR rights for individuals

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights around automated decision-making
  • Profiling

Have you heard about Subject Access Request (SAR) or Subject Access Request (DSAR)? With SAR, you can find out what companies or an organization knows about you. You can only ask for your own information, however, a lawyer can make a request on behalf of someone else as well.

It’s said that Tinder has sent somebody 800 pages of information about their use of the app, including education details, the age rank that they were interested and also the location of every single match.

This includes the information that was asked for, but also an organization has to provide information on why it was processed in the first place along with how the data was used and how long the data was kept.

Also, the ICO (The UK’s independent information rights authority) says that the individuals “have the right not to be subject to a decision” especially if it has an effect on a person.

Of course, there are some exceptions but people must be provided with an explanation regarding a decision made about them.

If an organization or a company doesn’t process an individual’s personal data in the correct way, it can be subject to a fine. Also, if an organization or a company doesn’t have a data protection officer even though it’s required, then again, it can be subject to a fine in the event of a security breach.

The French data protection regulator, the National Data Protection Commission (CNIL), fined Google, and the amount of fine was €50 million.

The biggest GDPR fines

Amazon — €746 million ($877 million)

WhatsApp — €225 million ($255 million)

Google — €50 million ($56.6 million)

H&M — €35 million ($41 million)

TIM — €27.8 million ($31.5 million)

How do I comply with the GDPR?

There are some measures that companies or organizations can take to be able to comply with the GDPR both in technical and operational terms.

Initially, they should protect the personal data they control. Also, they can conduct a GDPR assessment to decide on what personal data they process, where is it, and check if it’s secure.

They should be aware of what the GDPR says in its privacy principles such as the concept of consent and data portability.

The information must be collected for legitimate and explicit purposes and shouldn’t be processed for different purposes afterward.

There are also Data Protection Officers that you can hire so that they can check everything for you.

Data Protection Officer

A Data Protection Officer is somebody who is responsible for ensuring your company’s compliance with GDPR, Data Protection in general, and so on. This person should know about information technologies and law at the same time.

Encryption for GDPR

Encryption is one of the most feasible ways to secure data and it can be used to secure personal data as well.

For instance, you regularly send emails containing personal information at the office you work, using encrypted email services would make sense rather than anonymizing the data each time.

This works just like how blockchain works.

End-to-end email encryption is a method where only the sender and the receiver can read the email. The data is encrypted and then sent. Only the intended recipient will be able to decrypt and see the message or even tamper with it. Therefore, it cannot be seen by anyone else, let alone being tampered with by someone else. This method gives us a high level of confidentiality.

References

“22 Biggest GDPR Fines of 2019, 2020 & 2021 (so Far) — Updated 2021.” Tessian

Burgess, Matt. “What Is GDPR? the Summary Guide to GDPR Compliance in the UK.” WIRED

CHAFEA Procedure for Handling Data Subject Access Requests

“FAQ.” GDPR.eu

Nadeem, M Salman, and Mailfence Team. “End-to-End Email Encryption. What Is It and How Does It Work?” Mailfence Blog

Olsen, Nicole. “The 6 Privacy Principles of the GDPR.” Privacy Policies, PrivacyPolicies.com

“What Is Personal Data?” Information Commissioner’s Office

“What Personal Data and Information Can an Individual Access on Request?” European Commission — European Commission

Gdpr
Encryption

--

--

Ege Palaz

Written by Ege Palaz

26 Followers

Bülten: bit.ly/merkezsizbulten - Podcast: https://bit.ly/merkezsiz

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams