GDPR Requirements in layman's language

Last Update: May 20, 2018

blog cover image

GDPR requirements, step-by-step explanation

The GPDR (General Data Protection Regulation) law and how it impacts you

"Law GDPR May 25th 2018 in operation"

The European Union has approved a new privacy law for its citizens. The GDPR. Everyone who wants to do business inside the borders of the EU has to inform their EU visitors in what way they are placing cookies and tracking data.

The consequences of the GDPR are complex. For that reason, I have divided the steps to be taken into three different groups. Each group once again consists of areas where a company must have an answer to, to be able to live up to the demands arising from the GDPR.

Organizational measures

The GDPR requires organizations that process personal data to take measures that significantly reduce the risk of a data breach. You must also be able to show which measures you have taken. The measures include

  • Privacy Impact Assessments
  • Audits
  • Follow-up policy rules
  • Logging of activities
  • The appointment of a Data Protection Officer (DPO)

The GDPR requires certain organizations to appoint a Data Protection Officer.

This can be an existing employee or an external consultant who bears the responsibility.

For example, if your organization manages a large customer base, you will have to appoint a Data Protection Officer. The GDPR expects from the national authority that they provide assistance in determining the job requirements.

The designated officer is responsible for testing the GDPR how the organization deals with data, issuing advice about the measures to be taken and when and how a Privacy Impact Assessment should be carried out. In addition, the officer is the first contact person to the Data Protection Authority on behalf of the organization.

One stop-shop

The concept of a one-stop shop ensures that an organization with several branches in the EU has only one Personal Data Authority.

Processes, procedures, and policies

The GDPR defines a data leak as "a leak of security that results in unintentional or unlawful destruction, loss, modification, unauthorized release of or access to personal data that has been sent, stored or otherwise processed".

This is a more comprehensive definition than before and makes no difference whether a data leak harms the individual or not. Every organization is obliged to inform the Authority for Personal Data of the data leak within 72 hours after discovery.

Organizations are exempt from reporting the leak to data subjects, provided sufficient technical and organizational measures have been taken to protect the personal data, such as encryption.

Privacy by Design

Complying with the GDPR means implementing privacy by design in the development of new processes and products in which the collection or processing of personal data plays a role. Where this was previously a best practice, privacy by design is now a requirement.

Privacy Impact Assessment

A Privacy Impact Assessment aims to test the technical and organizational measures taken by an organization in favor of the GDPR requirements.

According to the GDPR, a PIA is a formal requirement; the controller must ensure that a PIA has been executed before it starts a process or activity with a high privacy risk.

International Data Exchange

Internationally operating organizations should, where necessary, tighten the policy and processes for exchanging data with non-EU countries. The rules for the processing or exchange of data by organizations to jurisdictions that are not recognized by the European Commission have been considerably tightened.

Awareness of data protection

Internal staff

There is still plenty of time, but start quickly creating awareness about the GDPR and the stricter guidelines throughout the organization. The transparent processing of personal data and the adjusted rights of the individual may require adjustments that can have a significant impact on the financial and IT processes. The training of staff can contribute to the awareness.

Responsibility - technical measures


The GDPR obliges the responsible person to demonstrate that the organization complies with the data security principles. It is important for an organization that it pursues a clear policy with which the required standards are met. The requirements include monitoring, reviewing and testing data processing procedures, ensuring processes and ensuring that employees are trained to handle personal data with care. An organization must at all times be able to submit the measures taken when requested by the European Data Protection Authority.

Data Leak - Technical Measures

Within 72 hours after discovering a data breach, this must be reported to the Data Protection Authority. Good preparation for a possible data leak includes drawing up clear policy measures and regularly testing procedures.

Failure to report a leak within the set term may result in a fine in addition to a possible fine for the data leak itself.

More rights for those involved - technically

The GDPR strengthens the rights of data subjects, for example by adding the right to allow a person to view, have modified, or even delete the data that is processed about himself.

Access for data subject

One of the main goals of the GDPR is to protect the rights of the individual. For an organization, this results in adapting or adding procedures for processing access requests to the personal data of data subjects.

In most cases, an organization will not be able to request compensation for providing access to the data and must be able to comply with this request within one month.

The right to be forgotten (The right to delete information)

This right gives individuals the possibility to request the controller and any processors to delete personal data without undue delay. This request must be granted in situations where there are questions about the execution of the processing or when an individual withdraws consent from processing.

Third parties who have insight or access to the personal data of data subjects must also comply with this request.

Automated profiling

The GDPR defines profiling as "any form of automated processing of personal data used to evaluate personal aspects, in particular with which it is analyzed and/or with which predictions are made that have to do with performance at work, the economic situation, health, personal preferences, interests, reliability, behavior, location, and movement within an area. "Nevertheless, there is some ambiguity about the way in which an individual can challenge the right to automatic decision-making based on profiling.

Data transferability

The GDPR introduces a new right to data transferability, which means that an individual can request the automatically processed personal data. The processor will have to provide this information in a machine-ready format.

Right of resistance

As part of strengthening the rights of the individual, the European Commission has agreed to restrict the processing of personal data for marketing purposes. This also includes limiting profiling activities with a marketing goal.

If an individual objects to an organization, it will immediately have to stop processing personal data. In addition, the contact details of the individual must be kept on an internal list.

Organizations are obliged to inform individuals about their rights to the processing of personal data.

Communicate privacy info


Obtaining approval from individuals on the processing of his or her personal data should be as simple for an individual as the withdrawal of the approval. Approval or withdrawal cannot be derived from silence, pre-ticked boxes or inactivity.

Parental permission

As part of strengthening the rights of the individual, the European Commission has agreed to restrict the processing of personal data for marketing purposes. This also includes limiting profiling activities with a marketing goal.

The GDPR requires that organizations receive permission from parents before they can process personal data of minors. If an individual objects to an organization, it will immediately have to stop processing personal data. In addition, the contact details of the individual must be kept on an internal list.

Notification of processing

The introduction of the GDPR means for many organizations that they will have to share more information with individuals where they process personal data. Information that must be shared includes, among other things, the legal basis for the processing of the data, the retention period and the right of the individual to make reports to the European Data Protection Authority, provided there are problems with the processing of personal data. The GDPR requires concise and clear language in the communication to the owners of the personal data.

Data security (integrity and confidentiality)

The GDPR uses data security principles similar to those in the current directive, such as honesty, regularity, and transparency; limiting the goal; data minimization; data quality; security, integrity, and confidentiality.

You must ensure that personal data are processed in a manner that ensures security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage: "The organization and service provider that processes personal data on behalf of the organization takes appropriate technical and organizational measures that guarantee a minimum level of security appropriate to the risks ".

The GDPR proposes a number of security measures that can be used to ensure the protection of data, including pseudonymization and encryption of personal data; ensure continuity in ensuring confidentiality, integrity, availability and resilience of systems and services with which personal data are processed; the ability to timely restore the availability of and access to data in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the proper processing of personal data.


The GDPR specifies encryption as a solution that can help to ensure compliance with some of its obligations. The regulation says the following about this:

Article 32 - Security of processing

"1. Taking into account the implementation and implementation of the implementation of the controller and the processor. appropriate technical and organizational measures to ensure a level of security for the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data [...] "

Article 34 - Communication of a personal data leak to the data subject

"3. The communication to the data subject should be in accordance with the following conditions: (a) controller has implemented appropriate technical and organizational protection measures. the data leak, in particular, those that render the personal data unintelligible to anyone who is not authorized to access it, such as encryption [...] "

What does this mean for you?

A few questions:

  • Is your website accessible to European visitors?
  • Does your website track data?
  • Does your website place cookies?

That is 3x YES

The Internet doesn't stop at the border of the European Union

Your website is tracking data

  • Google Analytics is tracking data
  • Google Adsense is tracking data
  • Almost all plugins are tracking data
  • Autoresponders, like Aweber, and MailChimp are tracking data

Yes, your website is placing cookies

  • Wealthy Affiliate is placing cookies
  • Your affiliate programs are placing cookies

Your responsibility according to the GDPR Requirements

Inform your visitors of which data you are tracking, and that you are placing cookies

There are GDPR plugins you can activate to help you meat the GDPR Requirements

WordPress guide for editing your privacy policy

GDPR Cookie Policy Generator (ToLiNoLi)

EU Cookie Law Plugin For The GDPR Settings

Google Analytics GDPR Acceptance Walk Through

StefanoV suggested:

Stuur me een PM als je een Nederlandse GDPR privacy polis nodig hebt! (Translation: Please PM me if you need a Dutch GDPR privacy policy)

Create Your Free Wealthy Affiliate Account Today!
4-Steps to Success Class
One Profit Ready Website
Market Research & Analysis Tools
Millionaire Mentorship
Core “Business Start Up” Training

Recent Comments


Loes, this is a great post. But GDPR being a bit complex, it is also difficult to understand what each website needs specifically.
Could you give a simple step-by-step for, say, a website in the MMO niche.
What should one do exactly? Just tell us and we will do it ...


There are some really good training bout this on WA
When you type in the searchbar "gdpr marionblack", you get a whole lot of them.

Hi Loes
Quite an article. Does this require a new privacy policy change, or can we just edit our existing privacy policy? I just finished publishing my privacy policy, and now I see this. Would you suggest using the WP guide for editing a privacy policy?

I think your daughter's name is beautiful, but "Ella and Dani" are equally as beautiful. My brother's name is "Lex" ( named after an American film star from the 1950s who played Tarzan ), but a few years ago he decided that he wanted to be called "Alex" ( Alexander is his full name ). It takes some getting used to, but I try to comply with his wishes.


You can edit your privacy policy page where needed. We must have talked about my daughter's name somewhere else:) We are used to Daniëlla by now, she changed it from Ella to Daniëlla about 22 years ago.

Hi Loes
thankyou for the like and your comment. Actually, I was reading some of comments made to you regarding this post, and I came across Daniella's comment to you. You told her that your daughter's name is Daniella, etc...

That reminded me of my brother, and how I had to make a change in his name.


Thank you! Oww it's down here:))

Thank you for the Like Loes


Should we be using the one listed in eu cookie plug in fit gdpr setting or the gdpr cookie policy generator or does with work or do we need both . Sorry but I’m just confused . I got most the other stuff out the way tonight but these confuse me

As EU citizen you need both, the Gdpr is automating your log files and is required for everybody, the EU cookie law plugin is giving a pop-up warning, that your website is using cookies and that is obliged in the Eu, and adviced outside the eu

Thanks so much.

I am still so confused about what we as WA members what we have to do

Privacy Policy - Do we wait for Kyle and Carson to do the revised Privacy Policy and then add to our website??

GDPR - Do we get the plugin that has been recommended and put it on our website?

I know loads of questions and answers have been done but I am still confused after reading them

I understand, there is a Privacy policy guide on the WP dashboard in the latest version, very handy guide I would start with that, when it's not on top it's under settings>privacy to find

Thank you, you are so knowledgeable

Hi Loes.. what exactly is it that needs to be incorporated into our privacy policies?

Is it all this information above? Maybe place a link to it within our privacy policy .. and copy and paste your information here into a new page and make it No Index?

Am I on the right track?



Yes, you are heading towards it. But this info doesn't cover it. When you use the cookie generator Tilinoli (Stefan) is supplying to edit your privacy policy or add a GDPR page and use the Cookie law plugin I believe, that you are on the right way doing that.

OK yes... I have activated this plugin .. it is in place... but need to know what info to incorporate into the privacy policy

When you check the appropriate boxes in this generator
You get exactly the parts which are missing on your current policy.
Like as, when you are using Adsense, it should be mentioned

Ok great thanks Loes :)

OK .. Last one :) .. I think I have put this in place correctly Loes... do you mind to take a look ... 10 seconds only .. and let me know if I am all in place?

The Normal Privacy Policy is in place in the footer menu with an internal link to the GDRP page ... The GDRP is also in the footer...

They are both no indexed ..

Am I sorted?

My website is on my WA profile ... the Rhodes one :)

Thanks Loes


You GDPR policy and privacy policy are looking alright, but you forget to link to the GDPR in the cookie "more info"

Here you can find the text I use
You may copy it, it's on my test website
Replace the link
I link here to the GDPR requirements, and the Decline Cookies link redirect people from my website to Google

OK thanks Loes... I think I am in place now... I think lol


Your cookie warning doesn´t show, it should popup when I enter your url in incognito mode

hhmmm I dont know .. it is working for me

I'll try mobile

Yes it's working on my phone, your link to the GDPR is wrong”https:/

OK done .. thanks so much for your help today Loes... greatly appreciated :) x x

My pleasure Chris:))

Hi Loes. I don't profess to understand all this so at the risk of sounding ignorant, does this only affect businesses and organizations that have a WEBSITE? For example, what if you conduct all your business through social media only, ie Twitter, FB, YouTube, email marketing, etc but don't have a website. Would these laws still affect those individuals?

Mary Ann

The collection of this data is done on and by Facebook, after which this data is made available to the advertiser. For that reason, Facebook is responsible for obtaining permission. As a social advertising specialist, you can continue to use this opportunity with peace of mind.

Thanks :)

It’s still all as clear as mud to me except for the last bit. As a U.K website I already have a banner that tell people I collect cookies which they can click on to accept or find out more info.
Do you think I need anything else.?
With Grace and Gratitude

Are you having people signing up for a newsletter? if yes, you need..., same for selling anything...

Yes, you do tracking too, and perhaps collect email addresses, so you have to add that
Here is a policy generator

Going to use this. Do I just add it as a page like my privacy policy or perhaps add it to my original privacy policy?

I’m going to use the generator that you recommended. Just need to know if I need to create a new page for it, or add it to my original privacy policy?

I have a privacy and cookie policy, do not forget your cookie warning must pop up or be there good visible, when an EU visitor lands on your website.

I’ve had that for ages.

You had? Where did it go?

Thanks for this post, Loes. This answers some of the confusion I have been having. I have updated it just now as you will see from the screenshot I have attached here. Now let me update other details like organisation info, etc. Looks like I have to create a Google+ account for my brand and add it there in the 360 Suite. But how do we create a separate brand account? Well, let me look into it properly.

Accepting the GA terms of services has to do with their policy according to the GDPR, and has nothing to do with your responsibility for your website, you have to take action for yourself, and inform your public about which data you are collecting and whether or not you are placing cookies.

Noted, Loes. Thanks!

Thanks for this Loes. I really appreciate your help and time putting this together. Is there a plug in you recommend at all?
I already have the one which advises about the site using cookies in the EU.
Also, do you know if this just apply to companies or to sole traders like myself too?
Thanks. Gail.

I am planning to adjust the text of the EU cookie las plugin and my privacy policy

OK thank you. Just to say I really appreciate this Loes. It must have taken a long time to trawl through. You're amazing! :)

See more comments

Create Your Free Wealthy Affiliate Account Today!
4-Steps to Success Class
One Profit Ready Website
Market Research & Analysis Tools
Millionaire Mentorship
Core “Business Start Up” Training