Skip to content

GDPR easy guide for beginners

gdpr easy guide for beginners

The 2016/679 European regulation (most known as GDPR) came into force in the end of May 2018. In this easy guide we will try to explain the key points of the regulation, in a simple way and without too many complicated details.

The name “General Data Protection Regulation” tells us it is a Regulation. It means that on the 25th of May 2018 it became de facto a law in all member states of the European Union.This clarification is significant, because unlike the Directive, which asks member states to write a law in a certain direction, a regulation does not need any further passage to be enforced.

The GDPR establishes the rules to protect the personal data of European citizens, so it should not be confused with company’s data like prototypes, projects, patents, financial statements or whatever. In practice, all subjects (companies, entities as well as other citizens), including those from outside the EU, who process personal data of the European citizens, must comply with the regulation.

GDPR definitions

Before getting to the heart of what the GDPR says, let us clarify some definitions:

Personal data

Article 4 of the GDPR defines it as “any information concerning an individual identified directly or indirectly by reference to any other information”. It means that a name, an address as well as car plate numbers are all personal data. It does not matter that the data is visible to everyone (think of the car plate numbers for example), as it is the combination of the plate number and the person that form the personal data.

Processing

Another important word to know is Processing. By this we mean “any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction”.

Data subject

The interested party is the owner of the data, i.e. every person is the interested party of his or her personal data.

Data controller

The data controller is the person, company or entity that asks for personal data to be able to process it and decides how and why to process it. Attention is not to those who manages the data, but who makes decisions on data processing.

Processor

It is the natural, legal, public administration or body that processes personal data on behalf of the data controller.

Data Protection Officer

Also known as DPO, an acronym for the English definition, this figure is designated by the owner and the person in charge of the treatment, to act as an expert on the subject (usually he is a lawyer). In practice, it deals with helping those who must process personal data, respecting the GDPR, providing opinions, informing, and supervising.

Special categories of personal data

Before the GDPR this type of data was called sensitive and included racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, as well as genetic data, biometric data intended to identify a unique individual, data relating to the health or sexual life or sexual orientation of a person.

Personal data breach

The security breach that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise treated.

Pseudonymisation

The word that may awaken fear but is simple. The processing of personal data so that it can no longer be attributed to a specific interested party without the use of additional information. Imagine having two registers, one with two columns: the first column contains the names of the people and the second a numerical code associated with each of them. The other register contains the numerical code in the first column and in the second column, the personal data to be protected. To understand who the data belongs to, it is necessary to correlate the information on the two registers. The personal data in the second register is “pseudonymized”.

Rights of European citizens

After this long but necessary introduction, let us find out what the rights of European citizens are regarding personal data.

The most important article (there are 99 of them in total) is of course the first one. Point 2 is the heart of the regulation saying: “This      Regulation      protects      fundamental      rights      and      freedoms of      natural   persons   and   in   particular   their   right   to   the   protection of   personal data”. But what exactly does that mean? What are the rights and freedoms it protects? An entire chapter of the regulation is dedicated to the “Rights of the data subject”, that is divided into five sections. Let us quickly analyze them.

Transparency and modalities

This section includes a single article (the 12th) entitled: “Transparent information, communication and modalities for the exercise of the rights of the data subject”. Basically, the article says that the data controller (the one collecting the data) must communicate with the data subject in a clear manner and must facilitate him in his requests (in relation to the personal data processed by the owner) and in general in exercising the rights provided by the regulation.

Information and access to personal data

Here we get to the main part: before processing the data, the owner must tell you who and why processes the data, and how long the data is kept. He also says that you can ask to view, modify, or delete our personal data in his possession anytime.

Rectification and erasure

It is your right to ask to change your data (rectification) or to request cancellation, the famous “right to be forgotten”. In fact, at any time you can withdraw consent to the processing and ask to be forgotten (useful for defending against some very aggressive marketing campaigns).

Right to data portability (article 20) is an interesting one, that allows the interested party to request the owner to provide all personal data referring to him “in a structured, commonly used and machine-readable format”. This article, in fact, is what forced Google, Facebook and the other web giants to provide their users with a link to request all data about an individual in their possession. It works, and we recommend you try it at least once: Google Takeout or Facebook personal data management.

Right to object and automated individual decision-making

This goes hand in hand with the article on the right to be forgotten but applies when it is not necessary to ask for permission to process personal data because “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party” (art. 6, par.1, letter f).

Restrictions

Obviously, the EU can limit the rights and obligations established by the regulation to safeguard more important interests, such as national security, independence of the judiciary and judicial proceedings, public safety, protection of the data subject or the rights and freedoms of others, and other critical issues.

Responsibility of the data controller and the data processor

Chapter four describes the obligations of the owner and manager of the processing of personal data. In particular, they overview the compliance responsibilities of these two figures, including the obligation to protect the personal data they process (by encrypting them or applying pseudonymization), to keep a register of treatments, and to evaluate the impact of the treatments before proceeding.

The last aspect that deserves your attention is that of personal data breaches. Section 2 of Chapter 4 is dedicated to the security of the data processing, where Article 33 is certainly one of the most important and is dedicated to the “notification of a personal data breach to the supervisory authority”. Its first paragraph is the famous communication to the “Garante” (in Italy the supervisory authority is called “Garante per la protezione dei dati personali”) in case of data breach:

“In the event of a personal data breach, the data controller notifies the competent supervisory authority pursuant to Article 55 of the violation without undue delay and, where possible, within 72 hours from the time when it became aware of it, to unless the breach of personal data is unlikely to present a risk to the rights and freedoms of individuals. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons for the delay “.

Conclusion

Heavy administrative and pecuniary sanctions applied to the owners, who do not respect the regulation, certainly made it famous. Fines can vary depending on the violations but are still very relevant. They start from fines of up to 10 million euros or (for companies) to 2% of their turnover, for example, for not having a data controller appointed. The fine can reach € 20 million or 4% of the company turnover in case of more serious violations like failure to notify a data breach.

According to a study by DLA PIPER published in January 2023, in 2022, there was yet another milestone achieved as GDPR fines totalling EUR 1.64 billion were reported across Europe. This marked a remarkable 50% increase in the total fines issued compared to the fines reported in 2021Germany leads the rankings with 29 795 personal data breach notifications, followed by Netherlands (24 777), Poland (12 748), United Kingdom (10281) and Denmark (7882).

 

What about Italy? According to the same report, between 25 May 2018 and 27 January 2023, the Guarantor was notified of 7008 personal data violation cases (ranked 11) and imposed fines with a total value of more than 63 million euros (ranked 6).

Related post

The future of cybersecurity - trend 2025

As we move into 2025, the cybersecurity landscape will reach unprecedented levels of complexity. Advanced technologies such as Artificial Intelligence (AI) and automation will take center stage - not only…

5 minuti
SIEM Cybersecurity

The rapidly evolving nature of cybersecurity threats challenges organizations to adopt advanced tools to protect their data and infrastructure. Security Information and Event Management (SIEM) systems are at the forefront,…

6 minutes
cset conference

Genoa, Novembre 14, 2024 - The 2024 CSET Conference,concluded yesterday, following two days of insightful discussions held on November 12-13 at the historic Palazzo della Borsa in Genoa. Organized by…

Back To Top