What is GDPR? The summary guide to GDPR compliance in the UK

GDPR doesn't say what good security practices look like, as it's different for every organisation. A bank will have to protect information in a more robust way than your local dentist may need to. However, broadly, proper access controls to information should be put in place, websites should be encrypted, and pseudonymisation is encouraged.

“Your cybersecurity measures need to be appropriate to the size and use of your network and information systems,” the ICO says. If a data breach occurs, data protection regulators will look at a company's information security setup when determining any fines that may be issued. Cathay Pacific Airways was fined £500,000, under pre-GDPR laws, for exposing 111,578 of its UK customers' personal information. It was said the airline had “basic security inadequacies” within its setup.

[h3]Accountability /h3]

Accountability is the only new principle under GDPR – it was added to ensure companies can prove they are working to comply with the other principles that form the regulation. At it simplest, accountability can mean documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.

The “destruction, loss, alteration, unauthorised disclosure of, or access to” people's data has to be reported to a country's data protection regulator where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more. In the UK, the ICO has to be informed of a data breach 72 hours after an organisation finds out about it. An organisation also needs to tell the people the breach impacts.

For companies that have more than 250 employees, there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place. GDPR's Article 30 lays out that most organisations need to keep records of their data processing, how data is shared and also stored.

Additionally, organisations that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.

The accountability principle can also be crucial if an organisation is being investigated for potentially breaching one of GDPR's principles. Having an accurate record of all systems in place, how information is processed and the steps taken to mitigate errors will help an organisation to prove to regulators that it takes its GDPR obligations seriously.

What are my GDPR rights?

While GDPR arguably places he biggest tolls on data controllers and processors, the legislation is designed to help protect the rights of individuals. As such there are eight rights laid out by GDPR. These range from allowing people to have easier access to the data companies hold about them and for it to also be deleted in some scenarios.

The full GDPR rights for individuals are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling.

---

— Update: 13-03-2023 — us.suanoncolosence.com found an additional article Complete Guide to GDPR: General Data Protection Regulation from the website wirewheel.io for the keyword gdpr general data protection regulation.

Introduction

The General Data Protection Regulation (GDPR) was adopted on April 14, 2016 and went into effect on May 25, 2018. The GDPR governs data protection and privacy in the European Union and in the European Economic Activity (EEA).

The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

The GDPR was the first comprehensive data privacy law and has inspired other legislations around the world from the California Consumer Privacy Act (CCPA) to Brazil’s Brazil’s Lei Geral de Proteção de Dados (LGPD).

Official text

Click here to access the full official text of the GDPR.

Effective Date

The GDPR went into effect on May 25, 2018.

Applicability

The GDPR applies to both Data Controllers and Data Processors:

• Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU,
• Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.

Covered Personal Information

Under this EU Data Protection Law, Personal data is any information relating to an identified or identifiable data subject. 

The GDPR prohibits the processing of defined special categories of personal data unless a lawful justification for processing applies.

Sensitive Data

The following personal data is considered ‘sensitive’ under the GDPR and is subject to specific processing conditions: 

• Racial or ethnic origin,
• Political opinions,
• Religious or philosophical beliefs,
• Trade-union membership,
• Genetic data,
• Biometric data processed solely to identify a human being,
• Health-related data,
• Sex life or sexual orientation.

Anonymous, De-identified, Pseudonymous, or Aggregated Data

Under the GDPR, Pseudonymous data is considered personal data. 

Anonymous data is not considered personal data. 

While the GDPR does not mention de-identified data, the CCPA definition is similar to GDPR’s concept of anonymous data.

Children

The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.

Children must receive an age-appropriate privacy notice. 

Children’s personal data is subject to heightened security requirements.

Privacy Notice

Under this privacy regulation, data controllers must provide detailed information about their personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.

Consumer Rights

The GDPR introduced the following consumer rights:

• Right to information,
• Right to access,
• Right to rectification,
• Right to erasure,
• Right to restriction of processing,
• Right to data portability,
• Right to objection,
• Right to avoid automated decision-making.

Contracting

The GDPR requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller. The contract should include:

• Type of data,
• Duration of processing,
• The rights and obligations of both parties, with specific obligations for the processor.

Data Protection Assessments

The GDPR Article 35, requires data protection assessments when processing personal data for certain functions such as targeted advertising, the sale of the data, certain types of profiling, the processing of sensitive data, and processing that presents a heightened risk of harm to consumers.

Transfer Impact Assessments are required for all transfers of sensitive data outside of the EEA.

Enforcement

The GDPR is enforced by the European Data Protection Board (EDPB) as well as binding decision-making by the Data Protection Authorities (DPA) of the member states.

Private Right of Action

The GDPR does have a provision for private rights of action.

Penalties and Damages

Under the GDPR, administrative fines can reach up to EUR 20 million or 4% of annual global revenue, whichever is highest

Cure Period

The GDPR does not provide a cure period.

Exemptions

The only way to be exempt from the GDPR is if you: 

Read also:

Article post on: us.suanoncolosence.com

• How to resolve NetBT 4311 Error causing a Windows PC to restart
• How to get new Microsoft office UI in windows 11?
• How to navigate Windows using a keyboard
• 7-Zip review & download: Open Source File Archiver software for Windows 11/10 PC
• How To Block Mixer On The Xbox One

• Actively discourage the processing of data from EU data subjects (i.e., block your site in the EU),
• Process personal data of EU citizens outside the EU as long as you don’t directly target EU data subjects or monitor their behavior.

Data Breach

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.     

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The notification referred to in paragraph 1 shall at least:

a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b) communicate the name and contact details of the data protection officer or other contact points where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

WireWheel offers a complete solution to help manage the requirements of GDPR, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.

---

— Update: 20-03-2023 — us.suanoncolosence.com found an additional article How does the GDPR affect email? from the website gdpr.eu for the keyword gdpr general data protection regulation.

The GDPR requires organizations to protect personal data in all its forms. It also changes the rules of consent and strengthens people’s privacy rights. In this article, we’ll explain how to ensure GDPR email compliance.

Email users send over 122 work-related emails per day on average, and that number is expected to rise. While we may not think of email as subject to the European Union’s General Data Protection Regulation (GDPR), your mailbox in fact contains a trove of personal data. From names and email addresses to attachments and conversations about people, all could be covered by the GDPR’s strict new requirements on data protection.

Any organization (companies, charities, even micro-enterprises) that handles the personal information of EU citizens or residents is subject to the GDPR. That includes organizations not in the EU but that offer goods or services to people there. The requirements basically boil down to two things: secure people’s data, and make it easy for people to exercise control over their data. (Our “What is the GDPR?” article provides an overview.) Those who don’t follow the rules can get hit with a fine of €20 million or 4 percent of global revenue, whichever is higher, plus compensation for damages.

While most of the focus regarding GDPR email requirements has centered around email marketing and spam, there are other aspects, such as email encryption and email safety, that are equally important for GDPR compliance. Below we’ll explain what the GDPR actually says and what it means for email.

Keep in mind that nothing you read here is a good substitute for legal advice. We recommend consulting with an attorney to understand how the GDPR applies to your specific situation.

What the GDPR says:

If you collect, store, or use the data of people in the EU, then the GDPR applies to you. And that means you may have an obligation to change the way your organization operates in some fundamental ways.

The GDPR requires “data protection by design and by default,” meaning organizations must always consider the data protection implications of any new or existing products or services. Article 5 of the GDPR lists the principles of data protection you must adhere to, including the adoption of appropriate technical measures to secure data. Encryption and pseudonymization are cited in the law as examples of technical measures you can use to minimize the potential damage in the event of a data breach.

Source: us.suanoncolosence.com

What it means for email:

When it comes to email, encryption is the most feasible option. As little as five years ago, that would not have been true. But email encryption technology has developed rapidly, and several companies now offer end-to-end encrypted email service. Cloud-based, secure email is now a convenient and practical option. (Disclosure: GDPR.eu is run by Proton Mail, the world’s largest encrypted email service, and funded in part by the European Union’s Horizon 2020 Framework Programme.)

While encryption is not required, it is up to every organization to develop a rationale for developing the most appropriate data security practices.

What the GDPR says:

Data erasure is a large part of the GDPR. It is one of the six data protection principles: Article 5(e) states that personal data can be stored for “no longer than is necessary for the purposes for which the personal data are processed.” Data erasure is also one of the personal rights protected by the GDPR in Article 17, the famous “right to be forgotten.” “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” There are some exceptions to this latter requirement, such as the public interest. But generally speaking, you have an obligation to erase personal data you no longer need.

What it means for email:

Many of us never delete emails. There are plenty of good reasons: We may need to refer to them someday as a record of our activities or even for possible litigation. But the more data you keep, the greater your liability if there’s a data breach. Moreover, the erasure of unneeded personal data is now required under European law. Because of the GDPR, you should periodically review your organization’s email retention policy with the goal of reducing the amount of data your employees store in their mailboxes. The regulation requires you to be able to show that you have a policy in place that balances your legitimate business interests against your data protection obligations under the GDPR.

From a technical standpoint, email data erasure can be quite simple and often it can be automated. Proton Mail and some other email services have an expiring email option that allows you to set messages for deletion after a designated length of time. Whatever email retention strategy your organization decides, it’s going to require some getting used to but will significantly lower your GDPR exposure.

What the GDPR says:

Among the other data protection principles in Article 5 are “lawfulness, fairness, and transparency.” This means you can only use people’s data if it’s allowed under one of six legal justifications, it must be fair to the data subject, and it must be based on transparent and unambiguous communication with the data subject. (The “data subject,” by the way, is the identifiable person the data is about.)

There are six “lawful bases” for you to “process” (collect, store, use, etc.) people’s data. These are listed in Article 6. The first is consent, which must be obtained unambiguously and after a full explanation of what you plan to do with the data. Specifically:

• • Consent must be “freely given, specific, informed and unambiguous.”

• • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”

• • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.

• • Children under 13 can only give consent with permission from their parent.

• You need to keep documentary evidence of consent.

The sixth legal basis is to have a “legitimate interest” to process the person’s data. Although the term is vague and could apply to a broad range of situations, you may have a hard time relying on this basis because the “fundamental rights and freedoms of the data subject” can often override your legitimate interest. Moreover, it remains to be seen how regulators and the courts will interpret this basis. You probably don’t want to be a test case.

The other four lawful bases are less common, but it’s a good idea to review Article 6 to make sure they don’t apply to you. The bottom line is that you should be very careful about using someone’s data unless you’re sure the person wants it used that way.

However, the ePrivacy Directive, specifically Article 13, presents organizations with another way to use a person’s data for marketing purposes that stems from the contractual basis of the GDPR. In the context of a sale of a good or service, an organization, “may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner,” according to Article 13, part 2. Essentially this means that an organization can lawfully send you marketing emails about the service they provide you as long as they inform you that you can opt-out at any time and there is the option to unsubscribe in every communication.

What this means for email:

After the GDPR passed, some people said it would be “the end of email marketing” or “the end of spam.” But it will be neither. Spam has always been outlawed or against the terms of use of most email providers. Those who send unsolicited or malicious mass emails will probably continue to send them. Did your spam folder dry up after May 25, 2018, when the GDPR took effect?

As for email marketing, the GDPR does not ban email marketing by any means. The GDPR did not set out to be anti-business, just pro-consumer. A good marketing email should ideally provide value to the recipient and be something they want to receive anyway. What the GDPR does is clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. And you must also make it easy for people to change their mind and opt-out. Only if a marketing email does not present the option to unsubscribe, is sent to someone who never signed up for it, or does not advertise a service related to one the receiver uses is it violating the GDPR.

What the GDPR says:

There’s one more email aspect of the GDPR, and that’s email security. Article 5(f) says you must protect personal data “against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

What this means for email:

Email encryption is a technical measure. Organizational measures have to do with internal policies, management, and training. Ninety-one percent of cyber attacks begin with a phishing email, in which hackers attempt to gain access to an account or device using deception or malware. Links and attachments from unknown accounts should never be clicked or downloaded. Once an attacker gains access to one account or device, it’s often easy to access others, meaning a mistake by one employee could compromise vast amounts of data. If you cannot show regulators that you have implemented the proper technical and organizational measures, then you could be on the hook for huge EU fines and compensation to data subjects.

To avoid liability, it’s important to educate your team about email safety. Basic steps like requiring two-factor authentication can go a long way toward protecting data and complying with the GDPR.

---

— Update: 20-03-2023 — us.suanoncolosence.com found an additional article What is GDPR, the EU’s new data protection law? from the website gdpr.eu for the keyword gdpr general data protection regulation.

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help you understand the law and determine what parts of it apply to you.

Via @: us.suanoncolosence.com

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

Read also:

• How to Set a Gif as Desktop Background On Windows PCs
• Vidmasta Download Free for Windows 7, 8, 10
• What Is Secure Boot? How to Enable and Disable It in Windows? [MiniTool Wiki]
• Viber Won’t Open in Windows! – Problem Solved!
• How to increase Maximum Volume beyond 100% in Windows 11/10

With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

We created this website to serve as a resource for SME owners and managers to address specific challenges they may face. While it is not a substitute for legal advice, it may help you to understand where to focus your GDPR compliance efforts. We also offer tips on privacy tools and how to mitigate risks. As the GDPR continues to be interpreted, we’ll keep you up to date on evolving best practices.

If you’ve found this page — “what is the GDPR?” — chances are you’re looking for a crash course. Maybe you haven’t even found the document itself yet (tip: here’s the full regulation). Maybe you don’t have time to read the whole thing. This page is for you. In this article, we try to demystify the GDPR and, we hope, make it less overwhelming for SMEs concerned about GDPR compliance.

History of the GDPR

The right to privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation.

As technology progressed and the Internet was invented, the EU recognized the need for modern protections. So in 1995 it passed the European Data Protection Directive, establishing minimum data privacy and security standards, upon which each member state based its own implementing law. But already the Internet was morphing into the data Hoover it is today. In 1994, the first banner ad appeared online. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. Two months after that, Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.

The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.

Scope, penalties, and key definitions

First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. We talk more about this in another article.

Second, the fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. We also talk more about GDPR fines.

The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:

Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.

Data subject — The person whose data is processed. These are your customers or site visitors.

Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.

Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like Proton Mail.

What the GDPR says about…

For the rest of this article, we will briefly explain all the key regulatory points of the GDPR.

Data protection principles

If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
4. Accuracy — You must keep personal data accurate and up to date.
5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Accountability

The GDPR says data controllers have to be able to demonstrate they are GDPR compliant. And this isn’t something you can do after the fact: If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant. Among the ways you can do this:

• Designate data protection responsibilities to your team.
• Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
• Train your staff and implement technical and organizational security measures.
• Have Data Processing Agreement contracts in place with third parties you contract to process data for you.
• Appoint a Data Protection Officer (though not all organizations need one — more on that in this article).

Data security

You’re required to handle data securely by implementing “appropriate technical and organizational measures.”

Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.

Organizational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organization who need it.

If you have a data breach, you have 72 hours to tell the data subjects or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)

Data protection by design and by default

From now on, everything you do in your organization must, “by design and by default,” consider data protection. Practically speaking, this means you must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in Article 25.

Suppose, for example, you’re launching a new app for your company. You have to think about what personal data the app could possibly collect from users, then consider ways to minimize the amount of data and how you will secure it with the latest technology.

When you’re allowed to process data

Article 6 lists the instances in which it’s legal to process person data. Don’t even think about touching somebody’s personal data — don’t collect it, don’t store it, don’t sell it to advertisers — unless you can justify it with one of the following:

1. The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)
2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
3. You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
4. You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)
5. Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)
6. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data. (It’s difficult to give an example here because there are a variety of factors you’ll need to consider for your case. The UK Information Commissioner’s Office provides helpful guidance here.)

Once you’ve determined the lawful basis for your data processing, you need to document this basis and notify the data subject (transparency!). And if you decide later to change your justification, you need to have a good reason, document this reason, and notify the data subject.

Consent

There are strict new rules about what constitutes consent from a data subject to process their information.

• Consent must be “freely given, specific, informed and unambiguous.”
• Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
• Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
• Children under 13 can only give consent with permission from their parent.
• You need to keep documentary evidence of consent.

Data Protection Officers

Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO). There are three conditions under which you are required to appoint a DPO:

1. You are a public authority other than a court acting in a judicial capacity.
2. Your core activities require you to monitor people systematically and regularly on a large scale. (e.g. You’re Google.)
3. Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g. You’re a medical office.)

You could also choose to designate a DPO even if you aren’t required to. There are benefits to having someone in this role. Their basic tasks involve understanding the GDPR and how it applies to the organization, advising people in the organization about their responsibilities, conducting data protection trainings, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators.

We go in depth about the DPO role in another article.

People’s privacy rights

You are a data controller and/or a data processor. But as a person who uses the Internet, you’re also a data subject. The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As an organization, it’s important to understand these rights to ensure you are GDPR compliant.

Below is a rundown of data subjects’ privacy rights:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

Conclusion

We’ve just covered all the major points of the GDPR in a little over 2,000 words. The regulation itself (not including the accompanying directives) is 88 pages. If you’re affected by the GDPR, we strongly recommend that someone in your organization reads it and that you consult an attorney to ensure you are GDPR compliant.

Source: https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018

Article post on: us.suanoncolosence.com