Key Elements and Important Changes to the GDPR Regulation

Data Protection

The GDPR applied on 25 May 2018, this new legislation applies to all companies collecting and processing data belonging to European Union (EU) citizens. It involves EU operating companies and/or websites or applications that collect and process EU citizen information.

This strengthens the rights of individuals to control the collection and storage of their personal data and makes companies more responsible for data protection in a range of new responsibilities.

The GDPR Personal Data Key Elements

The GDPR is applicable for personal data. This is any information that can classify a human individual directly or indirectly and in any format. The Regulation makes the collection of specific categories of personal data even easier. Genetic and biometric information inclusion is recent.

Example: name, address, email address, photograph, IP address, location of data, electronic enforcement (cookies), profile data, racing, ethnicity, political views, membership of the trade union, sexual orientation, health information, biometric information, genetic data.

The GDPR criteria are as follows


GDPR understanding is the first prerequisite and no progress will be made to achieve compliance if the decision-makers in your business do not know the new regulations.

Periodic training ensures that employees remain conscious of their responsibilities in terms of personal data protection and identification.

Data that you have (Accountability and Governance)-

In the GDPR you are required to inform the other entity of the inaccuracy if the business shares incorrect personal information with another organization.

You should report what personal information you keep, where it came from, and with whom you share it. You may need to perform a data audit in the entire organization or in certain business areas. You will keep records of your production activities under the GDPR. In doing so, you comply with GDPR’s rule of transparency.

Communication of privacy data (transparency and privacy notices)–

Check the existing privacy notices and put in place a plan to make adjustments to the timeline needed to implement the GDPR. You actually need to provide other informations to individuals, such as your identity and how you plan to use their information when gathering personal data. Typically this is done via a privacy notice. Privacy alerts should be given in simple and understandable language in a succinct, straightforward and easily accessible way.

Under GDPR, all businesses concerned with European citizens ‘ data will need to provide consumers with more information. You’ll need to explain clearly:

  • Your lawful basis for processing EU citizens’ data.
  • Your data retention period.
  • That individual can complain to the ICO if there is a problem with your data handling.

The ICO’s Privacy notices code of practice reflects the new requirements of the GDPR.

Incapsula GDPR is a platform where the Compliance and Incident response is automated that Cut time to detect threats and improve your response and visibility.

Data Procedure Covers Individual Rights (Privacy rights of individuals)

Once GDPR is implemented, the user (your customers) have more rights and that must be reflected in your data protection procedures.

The GDPR contains the following protections of persons:

  • The right to be informed
  • The right of access to personal data through subject access requests.
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling.

This data should be given in a commonly used format and machine-readable form. It must also be made available free of charge.

Subject Access Demands

Under GDPR, individuals are entitled to receive from an organization a copy of their personal information. This is regarded as an application for topic access.

In most cases, you can not charge for fulfillment of a request.

  • You will have a month to comply.
  • You can refuse or charge for requests that are manifestly unfounded or excessive.
  • If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy.

You have to do so without undue delay and in one month at the latest.

If your company handles a large number of access requests, consider the operational implications of coping with requests faster.

You should determine whether designing systems allowing individuals to easily access their information online is feasible or desirable.

The lawful basis for personal data processing

You must define and report the legitimate basis for any collection of personal data. People have a greater right to see their information deleted if they use agreement as a legal basis for processing.

You will also need to explain in your privacy notice your legitimate basis for processing personal data and when you respond to a subject access request. The legal basis in the GDPR is essentially the same as the production requirements in the DPA.

You should be able to examine the types of storage tasks you conduct and to recognize the legitimate basis for that. You will report your legal bases to help you meet the’ accountability’ provisions of the GDPR.

The legal basis is:

  • Direct consent from the individual
  • The necessity to perform a contract
  • Protecting the vital interests of the individual
  • The legal obligations of the organization
  • The necessity for the public interest
  • The legitimate interests of the organization.

Valid Consent

GDPR sets a high standard of consent and could result in a major revision of your customers ‘ consent. GDPR has been made clear that there must be a clear indication of agreement and an affirmative action. Controllers have to document how and when a person has given their consent and they can revoke their consent whenever they want.

Stricter rules are in place to obtain consent:

  • Consent must be freely given, specific, informed and unambiguous.
  • A request for consent must be intelligible and in clear, plain language.
  • Silence, pre-ticked boxes, and inactivity will no longer suffice as consent.
  • Consent can be withdrawn at any time.
  • Organisations must be able to evidence consent.
  • Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data.

Baby data protection

Additional safeguards of children’s personal data will be enforced by GDPR. Organizations must begin implementing programs to check their ages or receive custodial consent for any data processing.

If your organization offers children online services (info society services) and relies on consent to collect information on them, you may need the consent of a parent or guardian in order to legalize the processing of their personal data.

The GDPR sets the age for a child to agree to this care at 16. If a child is younger, you need a person with’ parental responsibility’ to give consent. Note that consent must be verifiable and that your privacy notice must be written in the language that children can understand while collections of children’s data.

Report data infringements

GDPR allows all companies to warn the governing body and the clients of certain forms of data breaches.

You will inform the appropriate stakeholders of any bias, reputation damage, financial loss, or loss of privacy arising from your data breach.

Data infringements must be reported within 72 hours of disclosure to the Data Protection Authority. Persons affected should be told where their rights and freedoms, such as identity theft, personal safety, are highly risky.

Personal data must be secured from unauthorized storage and accidental loss, degradation or harm. You will register the data types you keep and report when you are asked to inform the ICO.

If a violation is not documented, even by mistake, you will get a penalty— 2 percent of worldwide sales or 11 million dollars, whichever is higher. In addition to the fine, you must pay for the infringement itself.

Develop data protection and impact assessments of data protection

Good data protection policies and protections must be established from the very beginning of all processing:

  • Data protection must be considered at the design stage of any new process, system or technology.
  • A DPIA is an integral part of privacy by design. A profiling operation is likely to significantly affect individuals.
  • The default collection mode must be to gather only the personal data that is necessary for a specific purpose.

If a DPIA indicates that the processing of data is high risk and that these risks are not sufficiently addressed, you are obliged to consult the ICO in order to seek its opinion as to the conformity of the processing with the GDPR.

Data Protection Officer (DPO)–The appointment of a DPO is compulsory for public authorities; high-risk organizations; and special category data processing organizations.

A DPO has defined tasks:

  • Inform and advise the organization of its obligations.
  • Monitor compliance, including awareness raising, staff training, and audits.
  • Cooperate with data protection authorities and act as a contact point.

6 GDPR enforcement measure

Organizations can use this six-stage approach in planning for GDPR:

Recognize the law

Understand the responsibilities under GDPR with respect to gathering, processing and storing information, including the various different categories of legislation.

Build a map of the way

Perform information exploration and report all–analysis, conclusions, decisions, behavior and data risks.

Know that data is controlled

Next, assess whether the data falls within a different GDPR class. Determine who has access to various data types, who shares data and what applications process the data.

Start critical data and procedures

Risk assessment for all private data, and policies and procedures review. Apply security measures to the output of core resources information and extend them to backups and other repositories.

Evaluation and reporting of other risks

Investigate any other software threats not included in previous assessments.

Revise and repeat

Repeat steps four to six and, where necessary, adjust results.



Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.