We live in a data-driven world. Everything you share online is processed and stored, whether you’re booking a flight or posting a photo on social media.
Companies that handle data are responsible for keeping it safe. To ensure they’re held accountable, new global privacy laws have been passed — the most well known being the GDPR.
If you’ve tried to learn about the GDPR, chances are you’ve only encountered pages of confusing legal terminology. Although it’s a complex piece of legislation, its principles are easy to understand for anyone.
Welcome to our GDPR for Dummies guide — everything you’ve ever wanted to know about the GDPR explained in 100% plain English.
1. GDPR for Beginners: Data Privacy 101
Let’s start at the absolute beginning. Understanding GDPR for dummies involves knowing where the GDPR came from, as well as why we need it.
What is GDPR in Simple Terms?
GDPR stands for General Data Protection Regulation.
It’s a law created in the European Union (EU) to protect the personal data of its citizens. Although it was passed in Europe, it affects businesses worldwide.
When it went into effect on May 25, 2018, the GDPR set new standards for data protection, and kickstarted a wave of global privacy laws that forever changed how we use the internet.
Needless to say, it’s a big deal.
Why Do We Need the GDPR?
Personal data is highly valuable — in fact, it supports a trillion dollar industry.
Companies like Facebook and Google make their profits by selling personal information to advertisers. With this much money at stake, do you trust them to have your best interests at heart?
Didn’t think so.
The GDPR tells companies of all sizes what they can and can’t do with your information. If you know how this key piece of legislation works, you’ll have more control over your life online.
What Is Classified as Personal Data Under GDPR?
Personal data is information that can be used to identify you. Put simply, it’s any private details that you wouldn’t want to fall into the wrong hands.
Here are some examples of personal data:
Name / phone number / address / date of birth / bank account / passport number / social media posts / geotagging / health records / race / religious and political opinions
Think of personal data like a jigsaw. One piece alone might not say much, but connected together they reveal a vivid picture of your life.
What Is a ‘Breach’ Under GDPR?
Any incident that leads to personal data being lost, stolen, destroyed, or changed is considered a data breach. Unfortunately, breaches happen all the time.
Here are some newsworthy examples from before the GDPR started cracking down:
- Almost half the population of the US had their name, date of birth, and social security number stolen from credit reporting agency Equifax as the result of a data breach.
- Political consulting firm Cambridge Analytica secretly took information from 50 million Facebook profiles and gave it to the 2016 Trump campaign.
Both these incidents illustrate how data breaches have serious real-world consequences. This is the landscape that the GDPR and similar laws hope to regulate.
What Are the Penalties for Violating the GDPR?
The GDPR threatens would-be violators with some severe penalties. To make sure companies handle your personal data in a legal, ethical way, the fines for noncompliance are:
Up to €20 million ($23 million) or 4% of annual global turnover.
Some big names have already been hit with these noncompliance fines:
- British Airways — $230 million. The UK airline set the record for fines when the booking details of 500,000 customers were stolen in a cyberattack.
- Marriott — $123 million. After buying the Starwood Hotels group, Marriott failed to update an old system belonging to the group. This system was hacked, revealing information about 339 million guests.
- Google — $57 million. Important information was hidden when users set up new Android phones, meaning they didn’t know what data collection practices they were agreeing to. The Google GDPR fine shows even tech giants aren’t immune to GDPR enforcement.
Although smaller businesses wouldn’t be hit for such high amounts, they’re held to the same standards.
If you’re ready for a more thorough look at the ins and outs of the GDPR, our What is GDPR? guide will help you fully understand the law’s key requirements.
2. GDPR: A Simple Guide for Internet Users
As a business owner, you’ll have to make sure your operations comply with the GDPR. But how does it affect you as an everyday internet user?
The only thing most people will need to do is read the cookie consent banners that now appear on websites, and click agree (or not). The GDPR affects everything people do online, but it’s mostly working behind the scenes.
Core GDPR Concepts Explained Simply
The following are two of the most common GDPR terms used by security analysts. Understanding them is a vital part of becoming familiar with data protection in general.
Privacy By Design
Privacy by Design GDPR (PbD) is the name of an approach toward privacy that all businesses should now take when creating products and building websites. PbD involves keeping data collection to a minimum, and building security measures into all stages of a product’s design.
Obtaining consent simply means asking users for permission to process their data. Companies must explain their data collection practices in clear and simple language, and then users must explicitly agree to them.
These new standards of consent prohibit the use of sneaky pre-selected settings in apps, as well as pre-checked boxes on websites.
Data Protection Act for Dummies: New User Rights
Internet users have many new rights to data privacy under the GDPR. They’re hardly superpowers, but knowing what they are will come in handy if a company is ever negligent with your data.
Here are some of the main user rights outlined by the GDPR:
- You’re entitled to know exactly how your data is collected and used
- You can ask what information has been collected about you (without paying anything)
- If there are mistakes in your data, you can request to have them corrected
- You can have your data deleted from records (just in case you need to disappear!)
- You’re allowed to refuse any data processing, for example, marketing efforts
3. Quick Guide to GDPR Compliance — What Should Businesses Do?
GDPR compliance can be costly and time consuming. Getting a grip on what’s involved can save you money if you run a business, or just protect you if you spend a lot of time online.
If it seems complicated, you’re in good company — 42% of US news sites are still blocking EU users because they haven’t figured out how to comply with the GDPR yet.
Does GDPR Apply to My Website?
If you own a business that targets users in the EU — yes, it does. That includes even small things like collecting email addresses for a newsletter.
However, if you own a small blog or website that neither sells products to nor collects personal information from people in the EU, you’re in the clear.
GDPR Simple Summary of Who’s Who — And Why You Should Care
There are lots of names and acronyms associated with the GDPR. Learning these will help you navigate the policies that websites use to explain their data collection practices.
Use the chart below to list them off like a pro.
What is a data subject? I’m one and so are you. A data subject is anyone who has their data collected by a company. Basically everyone who ever used the internet.
What is a data controller? A data controller is any entity that gathers and stores data — for example, a business.
What is a data processor? This is who a large corporation hires to process data on their behalf. Usually, it’s a payroll company.
Who is the supervisory authority? Each country in the EU has its own supervisory authority. Like a data privacy sheriff, they enforce the GDPR in their region and hand out those hefty fines mentioned earlier.
What is a data protection officer (DPO)? Companies and public bodies that process lots of data need to appoint an officer (DPO) to handle all their GDPR activities and paperwork.
If you’re feeling particularly inspired after reading this article, now might be a good time to consider a career change! Being a DPO is quite an in-demand job at the moment. Job listings on Indeed.com increased over 700% after the GDPR went into effect.
GDPR Compliance for Dummies
A full step-by-step guide to GDPR compliance would be too much to include here (and wouldn’t make for very exciting reading), but here are the main requirements of the GDPR made simple.
Data Protection Impact Assessments (DPIAs)
If a company’s data processing activities are high-risk and could affect people’s freedoms, they’ll need to fill out a DPIA.
Examples of high-risk activities include:
- Using new technology
- Tracking anyone’s location
- Processing genetic or biometric data (think 23andMe or DNA testing)
- Marketing to children
Data Breach Notifications
When a data breach occurs, the affected company has 72 hours to inform their supervisory authority. They also have to tell users as quickly as possible.
Privacy policies must:
- Include contact details for an EU representative and the DPO (if necessary)
- Describe why the company is collecting the data
- Say how long the information will be kept on file
- Explain the rights users have
- Be written in simple language
GDPR Checklist for Dummies: Dos and Don’ts
There’s no such thing as a true idiot’s guide to GDPR, but any company that follows these dos and don’ts is on the right track:
Do: Collect information legally and use it fairly
Don’t: Mislead users about what you’ll do with their private details
Do: Collect as little data as possible
Don’t: Collect lots of data just because you can
Do: Protect data with strong security systems
Don’t: Assume data will take care of itself
Do: Only store data for as long as necessary
Don’t: Keep old data you don’t need anymore
The US has its own version of the GDPR called the California Consumer Privacy Act (CCPA). Check out our guide to this new law after reading our GDPR summary for dummies.
4. Dummies Guide to GDPR [Infographic]
If you enjoyed this infographic or found it helpful, feel free to share it! Just don’t forget to link to this guide so people can read the whole article.
To print the infographic, click the button below for a GDPR for Dummies PDF download.
Interested in other global privacy laws? Our global privacy laws infographic provides a quick and easy look at them.
5. Key Takeaways: GDPR Explained in 5 Minutes
Well, that’s the General Data Protection Regulation for dummies.
If you made it to the end of this guide, hopefully you now have a firm grasp on the basics of this new law and why data privacy is important in our connected world.
Here are our What is GDPR? for dummies key takeaways:
- The GDPR is a game-changing new privacy law that regulates how companies handle our personal information
- It affects companies worldwide (including businesses in the US) that target customers in the EU
- Companies have to be clear about what they do with the information they collect
- If an organization break the rules, fines may be in the millions of dollars
- Internet users don’t have to do anything — but they do have new legal rights
- The GDPR is the first of these new laws, but there are plenty more to come
For more GDPR help, here are some useful resources:
- EU GDPR Homepage — The official GDPR website has plenty of useful information if you want to dig deeper into the legal side of things
- The ICO’s GDPR Guide — This UK authority’s guide is helpful for businesses in any country
If you have any GDPR-related questions — or if there’s anything else you want to know about data privacy for dummies — leave a comment below, and we’ll get back to you!