Go Back
Blog

Breaking Down the GDPR

The world today faces several critical cyber issues, led by the evolving role of the remote workforce and the increasing importance of data privacy. As businesses move toward a primarily virtual presence, protecting confidential information has become paramount. One of the most significant pieces of legislation designed for this purpose is the General Data Protection Regulation (GDPR).

There are many hot issues that the world is facing today in the area of Cyber. The top of the list is the remote workforce and how it will be further defined in its role in society in the future.

Another issue is data privacy. With most businesses now having a virtual presence (versus the traditional brick and mortar that they once had), protecting confidential information and data is becoming paramount.

In this article, we look at one of the pieces of legislation that has been designed to do this—the GDPR.

A Quick Recap

The GDPR is an acronym for the General Data Protection Regulation. It is a major data privacy regulation that was conceived and originally drafted in the European Union (EU). It was passed into law May 25, 2018.

While its primary intent is to regulate EU-based businesses that deal with the personal identifiable information (PII) datasets of both employees and customersit has far-reaching implications on a global basis as well.

For exampleif businesses in the US have offices in the EU and transact business therethey are equally bound by the stipulations as set forth by the GDPR. Andthe financial penalties for non-compliance are extremely harsh.

If a company is found to be non-compliantthe fines can be as high as $2.3 millionor 4% of gross revenueswhichever is greater. Because of thisbusinesses all over the world have been scrambling to come into compliance since the law's inception.

The Scope of Information/Data Protection

While the main intent of the GDPR is to make sure that businesses have the necessary controls in order to protect the PII datasetsthe scope of what that data is actually is far broaderand includes the following:

The collection of PII: In this regardthe PII is not just merely Social Security and credit card numbers. It also includes:

  • Legal names
  • Email addresses
  • Location and other geographic information
  • Gender
  • Country of origin
  • Political and religious beliefs
  • Cookies that are deployed onto an end-user’s device.

The processing of information/data: This is the actual manipulation of the information and data that has been collectedwhether it is manually or automatically done. This also includes the storagetransmittaland deletion of the PII datasets as well.

The data controller: This is the entity or group of people that ultimately decides the exact techniques used to process the data and information.

The data processor: This is the person that will execute those techniques in order to process the PII datasets.

How the Data Can Be Processed

Although the business in question has the liberty to determine in what ways the information/data can be processedthere are very strict guidelines as to how this can be executed. These are as follows:

The business has received explicit and direct consent. This can be done via emailhard copy letteror allowing it when a person fills in the contact form on the respective website.

The processing of information and data must only take place when there is a direct need for it. It cannot happen otherwise. For examplethis would include the creation and formation of a business contract in which the person who is giving permission is involved.

The manipulation and further refinement of PII datasets can take place if there is a direct order from a court of law to do so.

It can be processed if it is needed for life and death situations. For exampleif a patient arrives at an emergency room and is either critically ill or injuredthe attending physician and his or her staff can collect the medical data in order to prescribe the necessary medications.

The business entity needs the information and data in order to serve a public interest cause that directly impacts those individuals whose PII datasets are being used.

If there is an otherwise legitimate reason to do so. Note that this a very broad and actually vague part of the GDPR that is open to a wide scale of interpretation andas a resultthere is much greater latitude given to conduct audits and levy financial penalties. Because of thismany businesses don’t process information and data under this stipulation; they typically do it only under the first five guidelines.

How the Information/Data Can Be Collected

The next question isunder what conditions can this data be collected. This is also covered by the GDPR under the following provisions:

  • The information/data can only be collected for the explicit purposes that have been set forth.
  • Only the most minimal amount of data should be collected in order to conduct the task that has been set forth.
  • It is the responsibility of the business to make sure that all of the PII datasets are maintained the most accurately and as up to date as possible on a regular basis.
  • The information and data can only be stored in the databases for as long as it is needed to complete the tasks for which they were collected.
  • The principles of “CIA” (confidentialityintegrityavailability) must be adhered to for the PII datasets.

For more information about the GDPR and the California Consumer Privacy Act (CCPA)which is deemed to be a close “relative” of the GDPRtake a look at our vast library of Privacy Resources.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information