Go Back
Blog

Breaking Down the GDPR

The world today faces several critical cyber issues, led by the evolving role of the remote workforce and the increasing importance of data privacy. As businesses move toward a primarily virtual presence, protecting confidential information has become paramount. One of the most significant pieces of legislation designed for this purpose is the General Data Protection Regulation (GDPR).

The world today faces several critical cyber issues, led by the evolving role of the remote workforce and the increasing importance of data privacy. As businesses move toward a primarily virtual presence, protecting confidential information has become paramount. One of the most significant pieces of legislation designed for this purpose is the General Data Protection Regulation (GDPR).

A Quick Recap of GDPR

The GDPR is a major data privacy regulation originally drafted in the European Union (EU) and passed into law on May 25, 2018. While it regulates EU-based businesses, it has global implications:

  • Global Reach: Any business (including those in the US) with offices in the EU or those transacting business there must comply.
  • Harsh Penalties: Non-compliance can result in fines as high as $2.3 million or 4% of annual gross global revenue, whichever is greater.

The Scope of Data Protection

The GDPR's intent is to protect Personally Identifiable Information (PII). This scope is broad and includes:

  • Types of PII: Legal names, email addresses, location/geographic data, gender, country of origin, political/religious beliefs, and browser cookies.
  • Data Processing: The manipulation, storage, transmission, and deletion of collected PII.
  • Data Controller: The entity that decides the techniques used to process the data.
  • Data Processor: The person or entity that executes those processing techniques.

How Data Can Be Processed

Businesses must follow strict guidelines to process PII. Processing is only permitted if:

  1. Explicit Consent: The individual has given direct permission.
  2. Contractual Necessity: There is a direct need for it (e.g., forming a business contract).
  3. Legal Obligation: There is a direct order from a court of law.
  4. Vital Interests: It is required for life-and-death situations (e.g., emergency medical care).
  5. Public Interest: It serves a cause that directly impacts the individuals involved.
  6. Legitimate Interests: A broad and often audited category that is open to interpretation; many businesses avoid relying solely on this.

Conditions for Data Collection

The GDPR sets forth specific provisions for how data is gathered:

  • Purpose Limitation: Data can only be collected for explicit, stated purposes.
  • Data Minimization: Only the minimum amount of data required for the task should be collected.
  • Accuracy: Businesses must keep PII accurate and up-to-date.
  • Storage Limitation: Data should only be stored for as long as it is needed to complete the task.
  • Integrity and Confidentiality: The principles of CIA (Confidentiality, Integrity, and Availability) must be strictly followed.

For more information on the GDPR and its close relative, the California Consumer Privacy Act (CCPA), explore Exterro's Privacy Resources.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information