Nebu Blog


What is GDPR? - Requirements, Principles, & deadlines - Guide | Nebu

The General Data Protection Regulation comes into force in a few months. GDPR applies to EU organizations and also to the ones that are processing EU personal data. It's high time to rethink and reshape their approach to data privacy.

What is GDPR? - Requirements, Principles, & deadlines - Guide | Nebu

Pauline Besnier
Posted on 9 February 2018 in GDPR
by Pauline Besnier
6 min

In the previous post, we explained what the main new roles introduced by GDPR are and what the impact of the new legislation is. Now, let's dive into more details.

Who is concerned?


If you process EU citizens data as part of your activity, regardless whether that processing occurs in or out of the EU, then the GDPR applies to you. Bear in mind that employee data and customer data ARE personal data. And the simple fact of storing that data is considered a processing activity.


Six principles of the GDPR 

The GDPR is not simply a ticking boxes process to avoid a big fine. It is principles driven and aim to change the way we perceive and treat personal data. There are six principles, listed below:

  • Lawfulness, fairness and transparency: you must inform the data subject which specific data will be collected and why, and obtain his explicit consent (by explicit I mean it should be a positive action, for example, an opt-out will not be a sufficient option anymore).
  • Purpose limitations: data should be collected for specified, explicit and legitimate purpose. No further processing that is incompatible with the initial purpose is allowed (unless you require a new consent). This includes archiving or use for statistical research after processing for example.
  • Data minimization: you should only collect the data that is relevant for the purposed processing. No more “harvesting” of data.
  • Accuracy: you need to make sure the data you collect is correct and kept up to date. Processes to ensure that inaccurate data is corrected or deleted must be put in place.
  • Storage limitation: the data should not be kept longer than necessary for the purposed processing or the legally required time.
  • Integrity and confidentiality: you must process the data in a secure manner. You will probably need to review your security policy to make sure it is GDPR compliant.

Key requirements of the GDPR

Personal Data: the term can be interpreted in many ways, but a good rule of thumb is if a piece of information can lead to a specific person then that information is considered personal data under the GDPR (for example a name, economic identity, physical description, cultural factors, etc.) 

Lawfulness of Processing: the article 6 of the GDPR stipulate that for you to be able to process a personal data, at least one of the following conditions must be met :

  • You receive consent from the data subject (remember, an explicit and an positive consent is needed)
  • Processing is necessary for the performance of a contract to which the data subject is a part of
  • Processing is necessary for compliance or legal obligation
  • Processing is necessary to protect a vital interest (for example medical data)
  • Processing is necessary to perform a task of public interest (population census for example)

If none of the above applies, then you are not allowed to collect and process the data.

Data collector and Data processor: Controllers are at the origin of the decision to collect a specific data. The processors decide how the data is stored, processed, transferred or deleted.  Both have the responsibility to protect that data.

Data breach notification: in the event of a personal data leak, it is the responsibility of the controller to notify the breach to the supervisory authority within 72 hours. But this is only if the breach is likely to result in a risk to the rights and freedoms of the data subject.

Rights of individuals: the GDPR strengthens and grants new rights to the EU citizens. You need to be able to respond to any request of a data subject wishing to exercise one or more of his rights. The most famous one is the right to be forgotten (see details in the previous blog post on GDPR), meaning that the data subject can request you to erase all information related to him. You can find these rights and their description on the articles 12 to 23 of the GDPR.

Privacy by default and design: this means that your policies and processes should protect the data from the beginning of the processing and that you should take the appropriate technical and organizational measures to ensure the security of the data during its lifecycle. Like I said,  with the GDPR you will have to change your approach to personal data.

Data Protection Officer: they are data protection experts and act as the single point of contact for all data processing notifications and report to the highest level of management. Not all organization is required to appoint a DPO (you can find more information on article 29) but it is recommended to allocate one employee to deal with data protection in your organization.

What do you risk if you don’t comply?

The data protection authorities can apply up to €10 million, or 2% of the worldwide annual revenue of the prior financial year ( whichever is higher) for “small breaches” and for “higher breaches”, it can go up to €20 million, or 4% of the worldwide annual revenue of the prior financial year.

These are huge amounts but there is no reason to panic. Auditors will not come knocking at your door from 26th May. What you need to do is start building a strong compliance program and show good will (that should be documented!) that you are working towards becoming GDPR compliant.


It is a risk-based approach so think about training as the first line of defense. Everyone in your company should be aware of the GDPR and its impact.

Conduct a data audit so you are fully aware of all the data you are collecting and processing within your organization.  

You do not have to comply with every requirement of the GDPR, it depends on the size of your company, your activity and whether you are processor or controller… Check with the regulation what requirements your company has to comply with by May 2018 and start now making a plan.


Resources and toolkits worth looking into:

Disclaimer: This blog was created by Nebu in order to provide a high-level, general understanding of GDPR, and should by no means be considered or used as a substitute for legal advice. Nebu does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.


PaulineBesnier.pngPauline Besnier is a compliance officer at Minddistrict, currently focusing on GDPR. She specializes in highly regulated spheres, in banking, and in healthcare. She translates compliance requirements into an understandable language and implements business-friendly processes.

If you would like to ask an expert a GDPR related question, please submit it via the form on the right.


Like our blog? Subscribe now!

Submit a commment