Companies in breach of the GDPR regulation can be fined up to 4% of annual global turnover or €20 million, whatever is higher. That is the maximum fine to be imposed for the serious infringements such as not having customer consent to collect and to process customer data or violating the core of privacy by design.

Responsibility and accountability

The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and a data protection officer has to be provided.

Automated individual decision-making, including profiling (Article 22) is made contestable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely algorithmic basis. Many media outlets have commented on the introduction of a "right to explanation" of algorithmic decisions, but legal scholars have since argued that the existence of such a right is highly unclear without judicial test, and limited at best.

In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default.

Privacy by Design and by Default (Article 25) require that data protection measures are designed into the development of business processes for products and services. Such measures include pseudonymisation of personal data, by the controller, as soon as possible (Recital 78).

It is the responsibility and liability of the data controller to implement effective measures and to be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller. (Recital 74). Source: Wikipedia

Personal data

Personal data is defined as any information related to a person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be a name, a photo, an email address, content from social networking, medical information, or a computer IP address, an identification number, location data, online identifier or to one or more factors specific to the physical, genetic, economic, cultural or social identity of that person.

Data processor and a data controller

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

Controllers and processors are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.” Controllers and processors that adhere to either an approved code of conduct or an approved certification may use these tools to demonstrate compliance.


Consent must be explicit for data collected and the purposes data is used for. Consent for children must be given by the child’s parents or custodian, and it must be verifiable. Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.

The conditions for consent have been strengthened, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

Right to Access

Data subjects (EU residents) have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and where and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

Data Erasure ( previously Right to be Forgotten)

The data subject has the right to request the data controller to erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Consent for Children

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

Data Protection Officer (DPO)

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

Data breaches notification

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.

Data Portability

GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.

Privacy by Design

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organisational an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'.


The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymised data. Pseudonymisation is recommended to reduce the risks to the concerned data subjects and also help controllers and processors to meet their data-protection obligations (Recital 28).

Although the GDPR encourages the use of pseudonymisation to "reduce risks to the data subjects," (Recital 28) pseudonymised data is still considered personal data (Recital 26) and therefore remains covered by the GDPR. Source: Wikipedia