Punit Bhatia

What is EU GDPR (General Data Protection Regulation)?


GDPR PrinciplesEU GDPR or the EU's General Data Protection Regulation is the privacy in the European Union. It replaces the 1995 EU Data Protection Directive. The EU GDPR sets out the rules for how personal data must be collected, used, and protected. It also gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.
The EU GDPR applies to any company that processes or intends to process the personal data of EU citizens, regardless of whether the company is based inside or outside of the EU. Companies that fail to comply with the EU GDPR can be fined up to four percent of their global annual revenue or €20 million ( whichever is greater).
The regulation requires organizations to take steps to protect the personal data of EU citizens from accidental or unauthorized disclosure, destruction, or alteration. In addition, organizations must ensure that EU citizens have the right to access their personal data and have the ability to correct it if it is inaccurate. Finally, organizations must provide EU citizens with a way to complain if they believe their rights have been violated. EU GDPR went into effect on May 25th, 2018.

Why GDPR is Actually a Big Thing? 

On the date of enforcement of GDPR, you woke up in the morning with your email box swamped with emails from businesses and organizations notifying you that they had "updated their privacy policy". The reason for this was that GDPR enters into effect today, and if a company isn't compliant, it will face steep fines and penalties. Here are some reasons you need to know what makes the GDPR a big thing.

It is a regulation

The foremost difference between GDPR and the previous legislation, EU Data Protection Directive 1995 is that the EU GDPR is a regulation. But what do regulation and directive mean?

Well in GDPR terms or rather EU (European Union) terminology a directive is a goal that member states must achieve by devising their own local laws. They have a lot of flexibility in taking the goal and making it local law.

On the other hand, a regulation is a binding act that must be applied across EU member states in its entirety. This means member states have limited flexibility and regulation is a law that is effective in all member states. This implies privacy laws across EU member states would be very similar with some exceptions that are allowed in GDPR. So this differentiation that the previous directive allowed or asked each member state to pass their laws vis-a-vis GDPR is a binding act, which means it is directly applicable and allows for lesser flexibility.

Supervisory Authority

Being a regulation that is uniformly applied across the EU, the GDPR is a one-stop-shop idea for businesses and people that may deal with cross-border privacy issues from their base of operations. As a result, the concerns of the individuals may now be handled uniformly throughout the EU. The GDPR permitted firms operating in different EU countries to cooperate primarily with the supervisory authority located in the same Member State as their principal establishment (to achieve compliance). Normally, this would be the location of the organization's European headquarters. This will be the organization's 'primary supervisory authority for any privacy-related issues. Individually, a Member State's local supervisory authority may either refer the case to your lead supervisory authority or handle it themselves. The same also applies to individuals. They can go to the local supervisory authority of your member state and hand over the case or the complaint and let them take care of you, even if the company or the organization is operating in another jurisdiction meaning another member state.

Data Protection Officer (DPO)

Data Protection Officers are responsible for safeguarding an individual's data being processed by an organization. They work to protect data from being accessed or used without permission, as well as to ensure that data is accurate and up-to-date. Data Protection Officers also develop and implement policies and procedures for data management, and they monitor compliance with data protection laws and regulations. In addition, Data Protection Officers liaise with Data controllers and data processors to ensure that data is handled correctly. As such, Data Protection Officers play a vital role in ensuring that data is properly protected.

GDPR Principles

Commonly known as data protect

ion principles, the GDPR sets out seven key principles. These are: accountability, transparency, data minimization, storage limitation, purpose limitation, accuracy, integrity, and confidentiality.

These principles are designed to protect the personal data of individuals and ensure that it is processed in a fair, transparent, and accountable manner. GDPR compliance is essential for any organization that processes personal data, and failure to comply with the GDPR principles can result in significant fines. As a result, it is important for organizations to ensure that they have adequate GDPR compliance procedures in place. By adhering to the GDPR principles, organizations can help to protect the personal data of their customers and employees, and ensure that it is processed in a fair and transparent manner. Commonly, these are also known as data protection principles.

It is key to note that the accountability principle meant that the EU data protection legislation mandated that it is the responsibility of an organization to demonstrate compliance with the principles of GDPR. It is the organization that is to demonstrate how it is lawfully collecting and processing personal data.

Similarly, how is the purpose limitation being achieved? And, how about data minimization or accuracy? All this meant, that the organizations now have the burden of demonstrating compliance with GDPR principles.

72-hour data breach notifications

GDPR requires that personal data breaches be notified to the supervisory authority and that too within 72 hours of becoming aware of such a breach. This new provision brought challenges and this meant a lot of organizations were panicking and of course the media. This was perceived to be a very strict requirement, even though some countries like the Netherlands already had mandatory notifications of data breaches. 

GDPR came along with significant fines big fines

4 % of global revenue or 20 million Euros this meant a small organization which would be about half a million or 1 million Euros and could still technically get a fine of 20 million euros.

However, this created a lot of fear and a lot of anxiety saying. If an organization earning 1 million or half a million euros per year now gets fined 20 million Euros they will go out of business and there's this scaremongering or attention in the media on whether the law would kill small businesses also created a lot of buzzes. While the aspiration of GDPR was to harmonize the privacy compliance laws and modernize the practices, it was also essential because the world around us had changed from 1995 to now. For example, in 1995 the internet was still new and there were no smartphones. And, these days, now everything is digital and seems to be on the cloud.

In summary, the GDPR means:

• Putting the ownership of compliance with organizations.

• Providing authorities with powers like never before.

• Empowering individuals with rights and means to question organizations

All this is something that needs to be done retrospectively because some organizations, especially big tech almost had a free hand before. However, with the EU GDPR, they now need to take care of all these principles and requirements that are mentioned in the law.

So these are some of the few reasons why GDPR became such a big thing.

The Positive Side

While there were challenges in complying with the EU GDPR, there have been benefits as well. 

Business Benefits

In the last few years, the reaction was it is a compliance thing we have to spend a lot of money. But if we look back now or especially in recent years, there have been studies that confirm there are business benefits based on compliance with EU GDPR.

Consequently, organizations are now starting to believe that privacy compliance brings them positive returns. A recent study by Cisco indicates that organizations confirm that they have achieved or received benefits at least twice their spending on privacy compliance.

Strong awareness amongst public and media

Thanks to the media, the public is not more aware of privacy. Wherever you go wherever you talk, the public is talking about privacy. Even in countries where EU GDPR does not apply. In Covid, people are struggling for life and death but the debate is whether this is GDPR compliant? Or is this the end of privacy?

This is a very good sign because if GDPR can hold through these challenging times it will be very exciting times of course article 5 in GDPR allows for processing and even special powers to governments in case of a pandemic or epidemic.

The Privacy Team

Most organizations are now having a privacy department. This means an increased focus on privacy matters. As per CPO magazine, more than 75 percent of those surveyed told that they have at least one privacy professional onboard and 25 of them say they have a team of more than 10. Hence, most medium or large-size organizations is having a privacy officer or a privacy department.

While the small-sized are starting to look at something called a fractional privacy officer that means you don't need a DPO but you have somebody who is providing you privacy advice as and when you need it on a recurring basis and that's a model with which small and medium-sized companies are now going with. If you need help, you can always email us.

The creation of these privacy departments has meant a lot of jobs have been created certifications are being produced and consulting firms have made a lot of money, even the software vendors have started to come up and offer automation.

Now that you know what is EU GDPR, why it was a big thing, and what have been its benefits, let us understand a few terms that are crucial for the role your organization shall play in the context of EU GDPR.

What is the role of your organization?

In EU GDPR, your company can be playing the role of a Data Controller or Data Processor. So, what do we mean by this, and why does it matter

If your organization decides on what personal data to collect, and what to do with that data, your organization is a data controller as per EU GDPR  And if you

r organization does not decide on what personal data to collect, and what to do with that data, but merely acts upon instructions of another organization, then your organization is a data processor as per EU GDPR. 

So, as you plan to comply with the principles and requirements of EU GDPR, it is key that you know what role your company has in a processing activity.


In essence, we are transforming into a digital entity. In this digital age, new privacy rules are needed to reflect the extent and depth of change that has occurred over the last few decades. While the change we experienced was gradual, the change in privacy legislation happened all at once. This indicates that corporations will have to make modifications in the future to consider or respect privacy. However, GDPR or more generally, the importance of compliance with privacy laws is likely to grow.

If you’re not familiar with GDPR yet, now is the time to learn what it is and why it matters. Ignorance of this new law could result in hefty fines for your company – so don’t let that happen! Email us at hello@fit4privacy.com if you need help in getting compliant with EU GDPR. We can walk you through everything you need to know to make sure your business is ready. And, if you like to learn by yourself, take advantage of our Elite Privacy Masterclass for small businesses.

About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who has worked with professionals in over 30 countries. Punit works with CXOs and DPOs to identify and manage privacy risks, and create and implement privacy strategies in a world that is digital, AI-driven, and has data in the cloud. Punit helps you to create a culture of privacy by establishing a privacy network and training management. Selectively, Punit is open to being a privacy advisor or coach for you.


Punit Bhatia is the author of four privacy books including the books “Be Ready for GDPR” and “AI & Privacy”. Punit is a global speaker who has spoken at over 50 global events and is a host /creator of the FIT4PRIVACY Podcast which has been ranked amongst the top GDPR podcasts in 2020 and 2021.

Punit is also a board member at ISACA Belgium Chapter and DPO Circle. In past, he served as a Training Advisory Board member at IAPP.

Punit is known to use simple business language while avoiding legal jargon. Punit is a certified Fellow in Information Privacy (FIP), CIPM, COP, and CIPP-E

Go to The GDPR Page


Write your awesome label here.


Write your awesome label here.
Created with