GDPR Requirements in layman's language

Last Update: May 20, 2018

GDPR requirements, step-by-step explanation

The GPDR (General Data Protection Regulation) law and how it impacts you

"Law GDPR May 25th 2018 in operation"

The European Union has approved a new privacy law for its citizens. The GDPR. Everyone who wants to do business inside the borders of the EU has to inform their EU visitors in what way they are placing cookies and tracking data.

The consequences of the GDPR are complex. For that reason, I have divided the steps to be taken into three different groups. Each group once again consists of areas where a company must have an answer to, to be able to live up to the demands arising from the GDPR.

Organizational measures

The GDPR requires organizations that process personal data to take measures that significantly reduce the risk of a data breach. You must also be able to show which measures you have taken. The measures include

  • Privacy Impact Assessments
  • Audits
  • Follow-up policy rules
  • Logging of activities
  • The appointment of a Data Protection Officer (DPO)

The GDPR requires certain organizations to appoint a Data Protection Officer.

This can be an existing employee or an external consultant who bears the responsibility.

For example, if your organization manages a large customer base, you will have to appoint a Data Protection Officer. The GDPR expects from the national authority that they provide assistance in determining the job requirements.

The designated officer is responsible for testing the GDPR how the organization deals with data, issuing advice about the measures to be taken and when and how a Privacy Impact Assessment should be carried out. In addition, the officer is the first contact person to the Data Protection Authority on behalf of the organization.

One stop-shop

The concept of a one-stop shop ensures that an organization with several branches in the EU has only one Personal Data Authority.

Processes, procedures, and policies

The GDPR defines a data leak as "a leak of security that results in unintentional or unlawful destruction, loss, modification, unauthorized release of or access to personal data that has been sent, stored or otherwise processed".

This is a more comprehensive definition than before and makes no difference whether a data leak harms the individual or not. Every organization is obliged to inform the Authority for Personal Data of the data leak within 72 hours after discovery.

Organizations are exempt from reporting the leak to data subjects, provided sufficient technical and organizational measures have been taken to protect the personal data, such as encryption.

Privacy by Design

Complying with the GDPR means implementing privacy by design in the development of new processes and products in which the collection or processing of personal data plays a role. Where this was previously a best practice, privacy by design is now a requirement.

Privacy Impact Assessment

A Privacy Impact Assessment aims to test the technical and organizational measures taken by an organization in favor of the GDPR requirements.

According to the GDPR, a PIA is a formal requirement; the controller must ensure that a PIA has been executed before it starts a process or activity with a high privacy risk.

International Data Exchange

Internationally operating organizations should, where necessary, tighten the policy and processes for exchanging data with non-EU countries. The rules for the processing or exchange of data by organizations to jurisdictions that are not recognized by the European Commission have been considerably tightened.

Awareness of data protection

Internal staff

There is still plenty of time, but start quickly creating awareness about the GDPR and the stricter guidelines throughout the organization. The transparent processing of personal data and the adjusted rights of the individual may require adjustments that can have a significant impact on the financial and IT processes. The training of staff can contribute to the awareness.

Responsibility - technical measures


The GDPR obliges the responsible person to demonstrate that the organization complies with the data security principles. It is important for an organization that it pursues a clear policy with which the required standards are met. The requirements include monitoring, reviewing and testing data processing procedures, ensuring processes and ensuring that employees are trained to handle personal data with care. An organization must at all times be able to submit the measures taken when requested by the European Data Protection Authority.

Data Leak - Technical Measures

Within 72 hours after discovering a data breach, this must be reported to the Data Protection Authority. Good preparation for a possible data leak includes drawing up clear policy measures and regularly testing procedures.

Failure to report a leak within the set term may result in a fine in addition to a possible fine for the data leak itself.

More rights for those involved - technically

The GDPR strengthens the rights of data subjects, for example by adding the right to allow a person to view, have modified, or even delete the data that is processed about himself.

Access for data subject

One of the main goals of the GDPR is to protect the rights of the individual. For an organization, this results in adapting or adding procedures for processing access requests to the personal data of data subjects.

In most cases, an organization will not be able to request compensation for providing access to the data and must be able to comply with this request within one month.

The right to be forgotten (The right to delete information)

This right gives individuals the possibility to request the controller and any processors to delete personal data without undue delay. This request must be granted in situations where there are questions about the execution of the processing or when an individual withdraws consent from processing.

Third parties who have insight or access to the personal data of data subjects must also comply with this request.

Automated profiling

The GDPR defines profiling as "any form of automated processing of personal data used to evaluate personal aspects, in particular with which it is analyzed and/or with which predictions are made that have to do with performance at work, the economic situation, health, personal preferences, interests, reliability, behavior, location, and movement within an area. "Nevertheless, there is some ambiguity about the way in which an individual can challenge the right to automatic decision-making based on profiling.

Data transferability

The GDPR introduces a new right to data transferability, which means that an individual can request the automatically processed personal data. The processor will have to provide this information in a machine-ready format.

Right of resistance

As part of strengthening the rights of the individual, the European Commission has agreed to restrict the processing of personal data for marketing purposes. This also includes limiting profiling activities with a marketing goal.

If an individual objects to an organization, it will immediately have to stop processing personal data. In addition, the contact details of the individual must be kept on an internal list.

Organizations are obliged to inform individuals about their rights to the processing of personal data.

Communicate privacy info


Obtaining approval from individuals on the processing of his or her personal data should be as simple for an individual as the withdrawal of the approval. Approval or withdrawal cannot be derived from silence, pre-ticked boxes or inactivity.

Parental permission

As part of strengthening the rights of the individual, the European Commission has agreed to restrict the processing of personal data for marketing purposes. This also includes limiting profiling activities with a marketing goal.

The GDPR requires that organizations receive permission from parents before they can process personal data of minors. If an individual objects to an organization, it will immediately have to stop processing personal data. In addition, the contact details of the individual must be kept on an internal list.

Notification of processing

The introduction of the GDPR means for many organizations that they will have to share more information with individuals where they process personal data. Information that must be shared includes, among other things, the legal basis for the processing of the data, the retention period and the right of the individual to make reports to the European Data Protection Authority, provided there are problems with the processing of personal data. The GDPR requires concise and clear language in the communication to the owners of the personal data.

Data security (integrity and confidentiality)

The GDPR uses data security principles similar to those in the current directive, such as honesty, regularity, and transparency; limiting the goal; data minimization; data quality; security, integrity, and confidentiality.

You must ensure that personal data are processed in a manner that ensures security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage: "The organization and service provider that processes personal data on behalf of the organization takes appropriate technical and organizational measures that guarantee a minimum level of security appropriate to the risks ".

The GDPR proposes a number of security measures that can be used to ensure the protection of data, including pseudonymization and encryption of personal data; ensure continuity in ensuring confidentiality, integrity, availability and resilience of systems and services with which personal data are processed; the ability to timely restore the availability of and access to data in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the proper processing of personal data.


The GDPR specifies encryption as a solution that can help to ensure compliance with some of its obligations. The regulation says the following about this:

Article 32 - Security of processing

"1. Taking into account the implementation and implementation of the implementation of the controller and the processor. appropriate technical and organizational measures to ensure a level of security for the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data [...] "

Article 34 - Communication of a personal data leak to the data subject

"3. The communication to the data subject should be in accordance with the following conditions: (a) controller has implemented appropriate technical and organizational protection measures. the data leak, in particular, those that render the personal data unintelligible to anyone who is not authorized to access it, such as encryption [...] "

What does this mean for you?

A few questions:

  • Is your website accessible to European visitors?
  • Does your website track data?
  • Does your website place cookies?

That is 3x YES

The Internet doesn't stop at the border of the European Union

Your website is tracking data

  • Google Analytics is tracking data
  • Google Adsense is tracking data
  • Almost all plugins are tracking data
  • Autoresponders, like Aweber, and MailChimp are tracking data

Yes, your website is placing cookies

  • Wealthy Affiliate is placing cookies
  • Your affiliate programs are placing cookies

Your responsibility according to the GDPR Requirements

Inform your visitors of which data you are tracking, and that you are placing cookies

There are GDPR plugins you can activate to help you meat the GDPR Requirements

WordPress guide for editing your privacy policy

GDPR Cookie Policy Generator (ToLiNoLi)

EU Cookie Law Plugin For The GDPR Settings

Google Analytics GDPR Acceptance Walk Through

StefanoV suggested:

Stuur me een PM als je een Nederlandse GDPR privacy polis nodig hebt! (Translation: Please PM me if you need a Dutch GDPR privacy policy)

Join the Discussion
Write something…
Recent messages
Wealth2018 Premium
Hi Loes. I don't profess to understand all this so at the risk of sounding ignorant, does this only affect businesses and organizations that have a WEBSITE? For example, what if you conduct all your business through social media only, ie Twitter, FB, YouTube, email marketing, etc but don't have a website. Would these laws still affect those individuals?

Mary Ann
Loes Premium
The collection of this data is done on and by Facebook, after which this data is made available to the advertiser. For that reason, Facebook is responsible for obtaining permission. As a social advertising specialist, you can continue to use this opportunity with peace of mind.
Wealth2018 Premium
Thanks :)
Stella2 Premium
Thanks for all of your efforts with this Loes. I really appreciate it! :-)

I have some parts implemented, but need to finish it on all of my sites.

It may just be EU now, but with recent events, I'm sure things will become tighter everywhere.

You are right, borders are not as fixed when it comes to the Internet. Things are becoming more and more global, for sure.
Loes Premium
Yes, it's globalizing fast. I have to adjust 7 websites for this matter
Memorylaneuk Premium
It’s still all as clear as mud to me except for the last bit. As a U.K website I already have a banner that tell people I collect cookies which they can click on to accept or find out more info.
Do you think I need anything else.?
With Grace and Gratitude
ToLiNoLi Premium
Are you having people signing up for a newsletter? if yes, you need..., same for selling anything...
Loes Premium
Yes, you do tracking too, and perhaps collect email addresses, so you have to add that
Here is a policy generator
Memorylaneuk Premium
Going to use this. Do I just add it as a page like my privacy policy or perhaps add it to my original privacy policy?
Memorylaneuk Premium
I’m going to use the generator that you recommended. Just need to know if I need to create a new page for it, or add it to my original privacy policy?
ToLiNoLi Premium
I have a privacy and cookie policy, do not forget your cookie warning must pop up or be there good visible, when an EU visitor lands on your website.
Memorylaneuk Premium
I’ve had that for ages.
ToLiNoLi Premium
You had? Where did it go?
sukumarth Premium
Thanks for this post, Loes. This answers some of the confusion I have been having. I have updated it just now as you will see from the screenshot I have attached here. Now let me update other details like organisation info, etc. Looks like I have to create a Google+ account for my brand and add it there in the 360 Suite. But how do we create a separate brand account? Well, let me look into it properly.
Loes Premium
Accepting the GA terms of services has to do with their policy according to the GDPR, and has nothing to do with your responsibility for your website, you have to take action for yourself, and inform your public about which data you are collecting and whether or not you are placing cookies.
sukumarth Premium
Noted, Loes. Thanks!
GailLowe Premium
Thanks for this Loes. I really appreciate your help and time putting this together. Is there a plug in you recommend at all?
I already have the one which advises about the site using cookies in the EU.
Also, do you know if this just apply to companies or to sole traders like myself too?
Thanks. Gail.
Loes Premium
I am planning to adjust the text of the EU cookie las plugin and my privacy policy
GailLowe Premium
OK thank you. Just to say I really appreciate this Loes. It must have taken a long time to trawl through. You're amazing! :)