What is the GDPR?
Updated: May 24

Data Protection & Data Processing
(GDPR = General Data Protection Regulation)
Good to see ya!
Are you processing data of European Citizens?
Perhaps you offer Immigration Services, Real Estate Services, customers use your online store, or maybe students from Europe are studying at your campus. If you process data from European citizens, then in most cases you have to comply with the GDPR!
So, let's talk about data protection, data processing, and how the General Data Protection Regulation (GDPR) affects you.
First of all, data protection is not bad and not superfluous. From its original meaning, data protection helps you to ensure that your personal information and the information of your customers are protected.
In the business context, we are heavily influenced by the laws of the states and countries in which our customers live. If your company has a strong focus on California, you must observe and implement the requirements of the CCPA. As a healthcare provider in the US, you are subject to the HIPAA requirements and if your customers are in Europe, you must implement the GDPR requirements.
It is not sufficient to just put a privacy policy on your website!
Due to the extra-territorial scope of the GDPR, it is valid worldwide for all companies that regularly process data from customers in Europe.
You must make sure that all of your processes are GDPR compliant as fines can be extremely high.
Some information about the GDPR
The GDPR was passed in 2016 and became fully effective in May 2018. Failure to the implementation of the GDPR can result in severe fines. Companies like Microsoft, Meta Platforms, Accor, Volkswagen, Google, Amazon, and Grindr had to pay severe fines.
In many cases, the fines could have been eliminated by very simple measures. For example, Grindr passed on customer location data without any legal basis. Additionally, Grindr's privacy policy was incomplete.
Let's be honest, in how many cases do we accept that an app is tracking us? If the corresponding message appears on our cellphone, we accept it to have peace of mind and focus back on other things.
As a company, we must consider what our basis for data processing is. Is there a contract, a legitimate interest, or do you need the customer's consent?
This example might shed some light on what the GDPR does. It creates a legal framework for people who live in Europe and whose data we are processing. The CCPA does the same concerning California residents.
These regulations aim to give customers control over their data and to make companies accountable for how they handle customers' data. As already explained, this concerns both the websites of the individual companies and the processes of the companies in which customer data is processed.
The GDPR influences a large number of data processing activities, e.g.:
Data storage through cookies
Data processed in the members' area of your website
Purchasing from an online store
Communicating with EU citizens by texting, messaging, emails, phone, or other forms where personal data is processed
The complexity of the specifications makes it necessary to evaluate the processes and determine which measures must be implemented to be GDPR compliant.
Privacy Management Systems
Data protection management systems help to meet these requirements.
The implementation of an appropriate privacy management system is based on the data protection requirements of the organizational structure and the data processing activities.
The configuration of the corresponding systems is very different and is primarily determined by the sensitivity, amount, and type of data processing as well as regulatory requirements. In addition, the regulations of these processes can vary from state to state.
You can find additional information about understanding the GDPR, the 7 principles of the GDPR, lawful bases of processing, data protection by design, GDPR compliance, data processing, website compliance, privacy policy, cookies, consent management, the territorial scope, user rights, data protection officer (DPO) and a lot more in my Blog article series - Dealing with the GDPR. Below you find an overview of the articles:
Dealing with the GDPR - Part 1 -Understanding the GDPR
Dealing with the GDPR - Part 2 -Data Processing & GDPR Compliance
Dealing with the GDPR Part 3 - Website, Privacy Policy, Cookies & Consent Management
Dealing with the GDPR - Part 4 - Article 32 and technical and organizational measures
Dealing with the GDPR - Part 5 - Why do I have to care about the data processing of EU Citizens?
Dealing with the GDPR - Part 6 - Website Compliance Checklist
Privacy Certification
GRIFFOX is your certified full-service provider and has extensive knowledge in the field of data protection and information security.
Since 2015, we have worked continuously in the areas of data protection, auditing, and compliance.
In addition, we have extensive knowledge in the areas of process analysis and process optimization.
If you have any further questions, feel free to contact us!