Skip to content
  • Homepage
  • Our Solutions
    • Document Storage and Records Management
      • Deed Storage
      • Long Term Storage
      • Media Storage Solutions
      • On Demand Storage
      • Onsite Management
      • Secure Vault Storage
    • AP Invoice Automation Solution
      • Start Your AP Journey
      • E-Invoicing
      • Features
      • ERP Integrations
      • Insights by Industry
      • Why Kefron AP?
      • Pricing
    • IT Asset Disposition Services
      • IT Asset Disposal
      • Hard Drive Shredding Services
      • Secure Data Destruction
      • WEEE Recycling and Electrical Waste Disposal
      • Refurbished IT Equipment
      • IT Equipment Resale and Revenue Return
    • Scanning and Data Capture
      • Scan to Digitise
      • Scan to Process
      • Digital Mailroom
      • Microfiche Scanning
    • Online Document Solutions
      • Online Document
        Management Software
      • Online Document Storage
    • Business Process Services
      • Data Management
      • Data Subject Access Requests
      • Securities and Deeds Management
  • Who We Are
    • About Kefron
    • Who We Are
    • Partners
    • Contact Us
    • Working with Kefron
  • News & Events
    • News & Events
    • Articles & Updates
    • Customer Stories
    • Upcoming Events
    • On-demand Events
    • Select Location
    • Ireland
    • United Kingdom
    • United States
    • Rest of the world
  • Let’s Talk
  • Republic of Ireland website
  • UK website
  • US website
  • Rest of the world website

EU – General Data Protection Regulation: The Basics

First published September 2016

The EU’s General Data Protection Regulation (GDPR) will be one of the most far-reaching data protection regulations in recent times. It will unify data protection for residents of the European Union (EU) and the export of data outside of the EU.

It has taken since 2012, when the earliest drafts were formed, to reach the stage where the wording of law has now been formalised and agreed upon by the EU Council and Parliament. The law will replace the Data Protection Directive from 1995, and be enforced in 2018 after a two-year transition period.

The purpose of the law is to bring Europe into the digital age, giving EU residents enhanced control over their own personal information and data, whilst simplifying existing data protections laws for businesses.

Notable changes in the GDPR proposals include:

  • More rigorous regulations for obtaining consent when collecting personal data
  • Removing information from company servers when Right to be Forgotten requests are granted
  • Establishing a single national office where complaints about data protection can be made
  • The introduction of the One-Stop-Shop for cross-border processing
  • Strict and extensive fines for companies if they do not comply with the new data protection policies

This article will discuss the basics of the GDPR and the terminology that is associated with the regulation.

How does the GDPR define personal data?

The GDPR will consider a varied collection of data fields that will be classed as ‘personal data’ by the European Commission (EC). Under the new regulations there will be both old-identifiers such as phone numbers and addresses, as well as new-identifiers like email addresses, IP addresses, genetics and biometrics.

The EC states that:

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

There isn’t much that cannot be attributed to personal data. This will therefore make it almost impossible for companies to avoid complying with requirements outlined within the new regulation.

The Long Reach of the Law

One of the key reasons behind the reform of the Data Protection Directive (DPD) is the need for greater clarity and consistency with regards to the regulation of data protection across Europe.

The new regulation brings uniformity across Europe, aligning the law with the broader market objectives. It will apply directly to individuals and organisations based in the EU.

Controllers and processors (organisations) based outside of the EU who provide services and goods to citizens residing in the EU will also be constrained by the new regulations. This means that all global companies will potentially be affected by the regulation, which, in the process, makes the GDPR the first global data protection law.

The Introduction of the One-Stop-Shop

The regulation introduces the principal of the “One-Stop-Shop” – a data protection authority (DPA) that will act as the lead authority and regulator for the cross-border processing of businesses established in multiple points of presence other than one EU member state.

This is in contrast to the current data protection framework, which states that organisations are responsible to the DPAs of each separate EU country in which they are established.

Consent & The Rights of the Data Subject

Many believe that the current directive gives regulators and controllers too much flexibility with regards to data usage. The rights of the individual have been rebalanced to ensure control over the distribution and processing of personal data is put back in the hands of the data subject. To this end, the rights of the individual have been updated significantly. This includes updates to the following:

  • Individuals now need to give clear consent to the processing of personal data
  • Data subjects will now have easier access to their own personal data, which will now have to be presented upon request
  • Pseudonymisation (a privacy enhancing technique) and encryption of personal data will be imposed so that data cannot be attributed to a specific person
  • Individuals will have the rights to rectification, to erasure and ‘to be forgotten’
  • The right to object will now be available for specific types of data processing, including direct marketing
  • The right to data portability from one service provider to another will now be introduced
  • Children under the age of 13 must have a parent or custodian provide consent on their behalf – member states are able to impose their own rules for children between 13 and 15 years of age

Under the new regulation, personal data can only be processed by a controller for purposes that are fair and lawful. Simple, clear and affirmative language must be used to obtain personal data – this is something that may present a stern challenge for many businesses.

Without valid consent, obtaining personal data will be deemed unlawful and, as such, will result in a breach of the new regulations. Individuals also have the right to revoke consent at any part of the data capture process. This presents further challenges for organisations, as they will now have to explain exactly what has been collected, how it will be processed, and how their data will be used.  All data already collected will require fresh consent from the data subject before an organisation can alter the way in which it is being used.

Governance & Compliance

The GDPR will require organisations to adhere to stringent measures designed to help reduce the risk of being penalised and also ensure that governance is being regarded with the utmost seriousness. To ensure that organisations comply with the new regulations, accountability measures will need to be put in place, including:

  • Privacy Risk Assessments
  • Audits & Policy Reviews
  • Activity Records
  • Appointing a Data Protection Officer

Organisations are also obliged to take appropriate security measures according to the risk involved in the data processing operations they perform.

The Role of the Data Protection Officer

To ensure that these procedures and measures are followed, it will become necessary for there to be a mandatory appointment of a Data Protection Officer (DPO) for the public sector. This will also apply to the private sector, for large enterprises, and where the core activities of the controller or processor consist of processing operations which require “regular and systematic monitoring”.

Small companies may also have to employ DPOs, as the criteria is no longer reliant on the number of employees but the amount of risk associated with handling personal data. Therefore, any business that deals with processing personal information will have to appoint a DPO.

Due to the time, effort and resource organisations will have to adhere to with regards to the measures outlined within the new regulation, organisations that do not currently have these governances in place may become overburdened with responsibilities.

Personal Data Transfers to a Third Country

The GDPR will bring in stringent governance with regards to the distribution and transfer of data to third countries and international organisations outside of the European Economic Area (EEA). Any personal data exported to a region outside of the European Union will need to be afforded an adequate level of protection determined by the European Commission (EC).

If the EC is unable to adequately determine whether data can be exported to a third party region due to the level of protection afforded, transfer of data may still happen in special circumstances whereby suitable safeguards are in place, such as:

  • Binding corporate rules
  • Contractual agreements & clauses
  • Standard data protection clauses

Data Breaches & The Ramifications

Under the GDPR, a data breach is defined as: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

In the event of a data breach, a series of specific steps must be followed. The independent Data Protection Officer (DPO) will be responsible for reporting any data breaches to the Supervisory Authority without undue delay, no later than 72 hours after the occurrence. Data subjects must also be informed if their personal information has been adversely affected, putting their freedoms and rights at risk.

If a data controller or processer not comply with these regulations, businesses will be at risk of incurring significant fines once the GDPR is enforced on 25th May 2018 – up to proposed extremes of €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

The ability to implement changes will be severely limited in the 6-9 months prior to the regulations coming into effect; it is therefore of the utmost importance that preparations for the impact of the General Date Protection Regulation are dealt with now. To ensure your business is truly prepared, read through the content in our GDPR resource centre.

BlogBusiness Processes

Related articles

Impact of New Digital Legislation on Irish and European Businesses in 2025

BlogBusiness Processes

The 2024 Digital Legislation, including the EU AI Act, Digital Services Act (DSA), NIS2 Directive, and Cyber Resilience Act, significantly impacts Irish and European businesses. Key areas affected include AI regulation, cybersecurity, and platform ac...

Read more

6 Simple Steps To Creating A Paperless Office

BlogBusiness Processes

How can you make the switch to a paperless office? Here are 6 simple steps to help your company make the dream a reality. Read our latest blog.

Read more

GDPR Compliance: One Year On, How Has Your Business Been Affected?

BlogBusiness Processes

Only a year ago, the long-awaited arrival of the European Union’s stringent GDPR final ended, and the business world would never be the same again. But now than the dust has settled, has the expected dramatic shake-up to data protection actually ha...

Read more

GDPR: Non-Compliant Businesses Facing First Fines

BlogBusiness Processes

It is now 6 months since the EU’s new data protection measures, the General Data Protection Regulation (GDPR), finally came into effect. But although May 25th had long been known as the deadline, there are still companies out there who are not yet ...

Read more

Data Protection in Hospitals: How To Rectify GDPR Failings In The Hospital Sector

BlogBusiness Processes

Not every sector has yet complied with GDPR. One of the biggest is the Hospitals Sector, with the Data Protection Commission highlighting 14 matters of concern it has found in hospitals. But while the situation is serious, some key steps are all that...

Read more

Why Maximizing Staff Awareness Is The Key To A Smooth GDPR Transition

BlogBusiness Processes

With D-Day fast approaching, full GDPR readiness should almost be complete. But does your staff really understand their role in the transition? Staff awareness is not only a key part of compliance, it can strengthen your organisation’s long-term po...

Read more

Data Protection Impact Assessments: What Are They and Why The GDPR Insists On Them

BlogBusiness Processes

With the GDPR around the corner, companies throughout Europe have had to re-examine both their business structures and practices. With the new regulations relating to data protection, Data Protection Impact Assessments are set to become compulsory. B...

Read more

5 Benefits Getting GDPR Ready Brings To Your Business

BlogBusiness Processes

For many business owners, the imminent arrival of the EU’s General Data Protection Regulations (GDPR) next year is something that is keeping them up at night. But initiatives associated with getting GDPR-ready are set to also bring real benefits to...

Read more

How CCTV Footage Has Become A Data Protection Matter

BlogBusiness Processes

CCTV used to be considered a solution to security issues. But in recent years, data protection legislation in both the UK and Ireland has reflected concerns over privacy and personal rights. Storing recorded security footage is now considered the s...

Read more

Why Storing Dark Data and Mining Its Secrets Benefits Businesses

BlogBusiness Processes

With a name that, alone, suggests it’s something no enterprise should want to keep, Dark Data is often a misunderstood presence in company servers. In fact, despite its ominous name, it is actually a highly-valuable asset, and storing Dark Data and...

Read more

Get in touch

Ireland
53 Park West Road
Dublin 12, D12 F8RK
T: +353 (0)1 438 0200

Connect with us

TwitterYouTubeInstagramLinkedInFacebookVimeo

  • Privacy Statement
  • Terms And Conditions
  • Sitemap

© Copyright 2025 Kefron. All Rights Reserved

Please confirm your country

  • Ireland
  • United Kingdom
  • United States
  • Rest of the World

Confirm

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies.

Cookie Settings Accept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept