0
  • Home
  • Blog
  • General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant

General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant

General Data Protection Regulation

The General Data Protection Regulation is a European Law containing hundreds of pages of articles clarifying the data rights of the companies operating in the EU and their users/customers. This blog is going to give you a clear idea about GDPR.

Undoubtedly GDPR law is the strictest rule in the EU. It is so standard that even after ‘Brexit,’ the UK kept the law in effect (called ‘UK-GDPR’). Any violation of GDPR articles from enforcing countries must face the courts. Many US clients and business groups are facing trouble for the rule as historically, a US company (Facebook) was held responsible for the law.

GDPR law has become a role model for other countries as every tax-paying Citizen holds the right to have privacy about their data. The EU and UK have their law of GDPR to restrict the business groups, whether national or multinational, from manipulating Citizen’s data. The daunting fines for violating the articles are demoralising the enterprises. They get to sleep in peace, knowing their privacy is safe.

If you are reading this, then you must be looking for a complete training course. Enrol in The GDPR Training Course to do a certification course and be an expert.

Behind the Creation of GDPR

If you are thinking why after so many years of establishing the EU, they formed a fearsome law for businesses? This story is for you then.

The starting era of the 21st century is the boom of social media applications and the internet over every vital communication. The emergence of Google and Facebook is so important that they were forced to use each other as an ally. The intensity rose when Snowden (former US spy) opened a report about eavesdropping on the EU officials. The problem began when a Google user sued Facebook in 2011 to scan emails that were supposed to be private. After two months, the EU data protection authority declared the need for a data protection law.

The EU parliament passed the GDPR motion in 2016, and it is in effect from May 25, 2018. All operating organisations of the EU have to stay compliant with GDPR.

Is GDPR For Everyone?

If you are operating in a country enforced by GDPR and dealing with personal information, it applies to your company. It is not necessary to be on the EU territory to be convicted. If you deal with the EU or UK citizen information anywhere in the world, GDPR deals with you. This law is known to the EU as an ‘extra-territorial effect.’

Compliance Requirement

Article 3 of GDPR dictates-

  1. The Regulation applies to the processing of personal data in the context of activities of an establishment of controller or processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    1. the offering of goods or services, payment of data subject is required, to data subjects in the Union; or
    2. monitoring of their behaviour as far as their behavior takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies under public international law.

    So Article 3.1 holds responsible for every domestic and international company that processes EU citizens’ data.

    Article 3.2 has two sub-sections.

When Does GDPR Sue Outsiders?

According to Article 3.2, two types of outsiders have to maintain General data protection regulation, the GDPR.

1. Offering goods and services

E.g., Google, the giant tech company, gives online services to the EU extensively. So google is a compliant organisation that abides by GDPR rules. Huawei is an internet provider company in the EU that is headquartered in China but compliant with GDPR for dealing with EU citizen information.

2. Monitoring EU citizens' behavior

E.g. US web development company based in Los Angeles, California, selling websites mainly to US businesses. But if they try to track and analyse EU visitors to the company’s website, then this may be subject to the provisions of the GDPR guidelines.

Every Citizen is responsible!

No. Pure personal and household activity are outside the GDPR eligibility. Collecting email addresses for party invitations/ picnics is not a GDPR violation.

Another one is exempted, a company with below 250 employees. But small and medium-sized enterprises are not exempt from GDPR guidelines.

The Accuser, Accused and Accusing Content

GDPR guidelines use very formal and specific terms.

Accusing Content

Personal Data is the content for which an EU citizen can accuse you. Any company that deals with the EU citizens information is compliant to data protection protocol. The person, him/herself, doesn’t need to complain against any data privacy protocol. Local authorities also have the right to do so. Fake data input is also a crime in the privacy protocol (e.g. using someone’s picture to open a duplicate account).

The Accused

Usually, the company is held responsible for every employee’s action. So the data misuse or manipulation may happen by one or multiple employees or a branch, but the entire company will be sued for this. The probable personals are-

1. The data processors

Any action done on data is processing. These actions include collecting, recording, organising, structuring, storing, using, erasing. So whoever does such work with acquired personal data called a data processor.

2. The data controllers

The person or board that decides why and how data will be processed. The board of members of the owner of the company or a branch of the company or an employee can be the data controller.

3. The third party

If the data controller hires someone to process data on his behalf, then the hired company or person is a third party. GDPR has some special rules about third party data processing.

The Accuser

The person whose data is being processed. Usually, these people are the customers, users or visitors of the site. In GDPR fact, they are known as ‘the subject’.

GDPR Compliance Requirements

If you want to stay compliant to GDPR rules, Article 5.1-2 stated seven protection and accountability rules for you.

General Data Protection Regulation (GDPR) What you need to know to stay compliant
  • Lawfulness, fairness and transparency: Data processing should be lawful, fair, and transparent.
  • Purpose limitation: It’s like your social site wants access to all your online accounts.
  • Data minimisation: A Facebook account requiring your parent’s name is unnecessary. A bank account requiring your life history is unnecessary.
  • Accuracy: A good example is using a random(another person) profile picture to open an account or fake parent's name to open a bank account.
  • Storage limitation: You cannot store an ex-customer/user’s data if all services and deals are done.
  • Integrity and confidentiality: If it's up to your company to protect personal data, then you have to maintain privacy procedures and confidentiality. Yes, you have to maintain encryption pretty well.
  • Accountability: Accuser/ the subject will not accuse an employee or a specific person if he/she wants to sue. Instead, the data controller will be sued so in a way, the company itself.

Accountability to Data Security

According to GDPR, you have to demonstrate how you are compliant to GDPR. Only signing a contract paper will not make you GDPR compliant. You have to appoint

  • Data protection team
  • Maintain detailed documentation of your data collection, usage, storing, employees responsible for it, etc
  • Take the necessary measures and train your employees
  • Appoint a Data Protection Officer according to article 38
  • Third-party data protection contract in case of outsourcing

Data Protection Protocol

Appropriate technical and organisational measures.” has to be implemented to handle data security. Technical measures indicate two-factor authentication and end-to-end encryption.

Organisational measures indicate staff training, privacy policy and access limitation of all employees to personal data.

If your site is compromised, you will have 72 hours to notify the subjects otherwise be fined.  (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)

Process the Data If-

  • There is a specific concession, e.g. various sites do personality check by processing social data.
  • There is an urge to process data before a contract sign, e.g. dig up the background before a government job or leasing a property.
  • You are legally obligated to share data, e.g. Authority checks. By far, Apple is the safest data privacy company among the tech giants (refused to share a video to the government of a murdered journalist). However, refusal can not happen in the EU or the UK.
  • Life at stake or endangered, you will know when data processing is allowed.
  • Processing is necessary to do an action in public service, e.g. an online study platform or job platform.
  • You have a legitimate interest, e.g. this section is too complex to explain in an example.

Consent of the Subject

The consent of the subject is a prerequisite to process his/her data. The GDPR rules imply that consent must be-

  • Freely given, specific, informed and unambiguous.
  • Requested as clearly distinguishable from the other matters, in clear and understandable language.
  • Owned by the subject and subject alone. The subject holds the right to withdraw this consent anytime, and the company is obliged to honour this.
  • Granted from children above 13 or otherwise, parent’s concession is needed.
  • Documented securely to show proof of the agreement.

Know Your Rights

A data subject has some right to claim if they use/visit a data processing site. There is a whole

chapter about data subjects’ rights (GDPR cp-3). In summary, they are-

  • The right to be informed
  • The right of access
  • The right to rectify
  • The right to restrict processing
  • The right of erasure
  • The right to data portability
  • The right to object
  • Rights concerning automated decision-making and profiling.

CopyRight of GDPR.EU

If there are any violations to any article of GDPR, the site or the company will be fined if found guilty.

GDPR Violation Fine

GDPR violation penalty is one of the toughest in the world. There are two tires of GDPR violation.

The less severe

This kind of infringement can result in maximum €10 million or 2% of a company’s global revenue (whichever is highest). The acts behind this huge fine are described-

➔   Controllers and Processors that manipulate personal data collected from customers and do not abide by Articles 8, 11, 25-39, 42, and 43.

➔   Certification bodies that do not/cannot certify the evaluation and assessment process of their certification programs and by that violating Articles 42 and 43.

General Data Protection Regulation (GDPR) What you need to know to stay compliant

Source: Privacy Affairs GDPR Fines Tracker

➔   Monitoring bodies that do not maintain a proper procedure in handling complaints or reported infringements impartially and transparently.

The more serious

This kind of infringement can result in a maximum €20 million or 4% of a company’s global revenue (whichever is highest). The acts behind this huge fine are described-

  •    Basic principles of data processing indicating lawfulness, fairness and transparency. Articles 5, 6 and 9 dictate the laws.
  •    The permission/consent of the users to use/manipulate data. Article 7 clarifies the rule.
  •    Articles 44-49 say that transfer of data to a third country without any legal notice is also a violation of GDPR law.

So to avoid such a huge fine, you need a data protection officer(DPO). A person to monitor all the personal data your company deals. 

Enrol The GDPR Training Course Become a Data Protection Officer

Some Biggest Fines and the Companies

Some multinational and national companies are fined a record amount in recent years. The big five companies are-

General Data Protection Regulation (GDPR) What you need to know to stay compliant fines

Source: PrivacyAffairsGDPRFinesTracker

Google- €50 million

The French authority sued google for lack of transparency in processing citizens’ data. Google failed to provide proof against user consent policy to show ads and control of data.

TIM- €27.8 million

This telecommunication giant invaded non-authorised personal information as an aggressive marketing policy. They contacted a few million individuals (150 times more per-month) who were not their customers by acquiring their name, surname or company name; tax code or VAT number; telephone line; address; contact details without permission. They violated some serious GDPR facts in this process.

Austrian Post- €18 million (additional 1.8 million for investigation)

Austrian Post had accounts of over one-third of the national population and sold their names to a third party. This crime was so grave that the authority invested an additional 1.8 million euro in finding the names of victims (political leaders were there too).

Deutsche Wohnen SE – €14.5 million

The German real estate company was accused of keeping their tenant’s unnecessary information and was not compliant to data retention law of GDPR facts. They actually could not provide any real use of their tenants’ information in their archive, which GDPR strictly implies.

 

1&1 Telecom GmbH – €9.5 million

This German telecom company did not have proper security of the customer data. As a result, it was easy for an outsider to access personal data which GDPR condemns. 

 

Closing Note

So these penalty histories probably gave you an insight about General Data Protection Regulation, GDPR facts. Nowadays, every company that operates in GDPR enforced territory has a Data Protection Officer (DPO) to avoid a humongous fine. So career is bright if you are looking to be a GDPR expert instead of opening a company.

Enrol The GDPR Training Course Get 25% off with free certificate
Read More Blogs
April 29, 2025

 

0
    0
    Your Cart
    Return to Shop

    Upgrade to get UNLIMITED ACCESS to ALL COURSES for only £49 per year

    ADD OFFER TO CART

    No more than 50 active courses at any one time. Membership renews after 12 months. Cancel anytime from your account. Certain courses are not included. Can't be used in conjunction with any other offer.

      Apply Coupon
        Training Express Logo Dark

        Why a Privacy Policy?

        The Training Express privacy policy (the “Privacy Policy”) is all about letting you know as a Training Express customer that we take the protection and management of your personal information very seriously. As a UK based business our handling of your information is controlled by the UK Data Protection Act 2018). We therefore take great care to protect your personal information or anything which might identify you personally such as:

        • Name
        • Email address
        • Organisation information (e.g. Name, Address, Telephone number)

        How do we collect information about you?

        Training Express offers services which can be purchased via the website and application and can be paid for online or offline. During the purchase process we will require personal and organisation information. Training Express also offers a free trial via the website which require the same personal and organisation information.

        How do we use your information?

        Information we obtain from you is used to:

        • Improve and extend our services
        • Respond to your requests for specific services
        • Analyse user/purchaser/visitor interactions
        • Market additional Training Express services

        Legal requests for information

        Training Express may be required under court order to provide personally identifiable information to government authorities. Providing such government departments/agencies have legal right to access our records and such enquiries are correctly made, we will supply such authorities with the information they require.

        With whom do we share your information?

        We would only share personally identifiable information with third parties if:

        • you agree to us sharing this information.
        • we are forced to bring legal actions against a subscriber who has breached our user agreement.
        • we sell, assign or transfer all or part of Training Express and the services it provides, providing your personal information is sold, assigned or transferred only to the acquirer as part of such a transaction.
        • they are providing services to Training Express. Such third parties are limited in their rights to use such information only for the provision of these services to Training Express.
        • they are affiliates subject to privacy policies that protect your personally identifiable information from disclosure are comparable to this privacy policy.

        How long do we retain your information?

        We retain your information so long as you remain a subscriber and by default for 12 months subsequent to termination of your subscription. You can request earlier permanent deletion of your data if you wish but your data will reside in backups for a period of 3 months thereafter.

        Information Security

        The Training Express website and application have various security measures in place to protect the loss, misuse and alteration of the information under our control. Although no security measure is fool proof, we believe that these measures are consistent with good practice as 2 of 5 Privacy Policy modern technology permits. For more information on information security please see our Information Security Statement.

        Email Privacy

        We follow email marketing best practices at all time. A key aspect of these best practices is the operation of permission based emailing. If you receive emails from Training Express or a partner it will be because you have elected to receive such emails or they are communications related specifically to services requested.

        Call Privacy

        We record all incoming and outgoing calls for contractual and training purposes. Call recordings are retained for a period of 24 months and are never shared with third parties.

        Outbound links

        The Training Express website and application contain links to other websites. While links are reviewed at the time of publishing we are not responsible for the content of external links as they can be changed without our knowledge.

        Your rights

        You have various rights in respect of the personal information Training Express holds about you – these are set out in more detail below. If you wish to exercise any of these rights, you can do so by contacting Training Express at www.Training Express.co.uk/contact-us. Please note that you will need to provide Training Express with evidence of your identity.

        Request access to your personal information: You can ask Training Express to give you a copy of the personal information that Training Express holds about you.

        Request correction: You can ask Training Express to change or complete any inaccurate or incomplete personal information held about you.

        Request erasure: You can ask Training Express to delete your personal information where it is no longer necessary for Training Express to use it, you have withdrawn consent, or where Training Express has no lawful basis for keeping it. 

        Right to object: You can object to Training Express processing of your personal information where Training Express is relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where Training Express is processing your personal information for direct marketing purposes.

        Request restriction: You can ask Training Express to restrict our use of your personal information in the following circumstances: a) if you want us to establish the data’s accuracy; (b) where Training Express’s use of the data is unlawful but you do not want Training Express to erase it; (c) where you need Training Express to hold the data even if Training Express no longer require it as you need it to establish, exercise or defend legal claims; or (d) if you have objected to our use of your data but Training Express needs to verify whether Training Express has overriding legitimate grounds to use it.

        Request transfer: You can ask us to provide you or a third party with some of the personal information that Training Express holds about you in a structured, commonly used, electronic form, so it can be easily transferred.

        Withdraw consent: If you have given Training Express your consent to use personal information (for example, for marketing), you can withdraw your consent at any time. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, Training Express may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Training Express tries to respond to all legitimate requests within one month. Occasionally it may take Training Express longer than a month if your request is particularly complex or you have made a number of requests. In this case, Training Express will notify you and keep you updated.

        Use of Cookies

        Cookies are small files which many websites transfer to your hard disk. They can inform the website what pages you visit, and your preferences, which enable websites to provide you with a more personalised service. You can set your browser to refuse cookies or to warn you before accepting them.


        We use cookies, but most parts of our site can be accessed even if your cookies are turned off. But you may find there are parts of the site which you cannot access if your cookies are turned off.

        We work with several third-party services that use cookies, including:

        **Rakuten Advertising Cookies:**

        – **rmStoreGateway**: Used for affiliate marketing tracking (expires after 180 days)

        – Stores: Merchant ID, Encrypted Affiliate ID, Click ID, and timestamps

        – Purpose: Ensures proper commission attribution for our affiliate partners

        – **rmuid**: Used by Rakuten Advertising Affiliate Network for targeting (expires within 365 days)

        These cookies help us track referrals from our marketing partners. For more information, please see:

        Rakuten Advertising’s Privacy Policy

        Contact information

        If you have any issues with correcting this information in our database or queries concerning this policy please email support@trainingexpress.org.uk or call us on +44 (0) 2081583412

        We endeavour to respond to all support requests within 24 hrs.

        Policy changes

        Training Express reserves the right to change its privacy policies at any time. Up to date policies are always available on our website. 4 of 5 Privacy Policy Legal Agreement This Privacy Policy forms part of a legal agreement between you and Training Express.

        ×

        Hello!

        Click one of our contacts below to chat on WhatsApp

        Social Chat is free, download and try it now here!

        × How can we assist you today?