GDPR Requirements in Plain English

You just want to answer the question: “What do I need to do for GDPR?” Maybe you've worked your way through a few online quizzes to test for GDPR readiness or skimmed an article that made some vague suggestions. Learn the GDPR requirements.
Michael Buckbee
23 min read
Last updated May 9, 2022

You just want to answer the question: “What do I need to do for GDPR?”

Maybe you’ve worked your way through a few online quizzes to test for GDPR readiness or skimmed an article that made some vague suggestions.

Get the Free GDPR Attack Plan Video Course by Troy Hunt

Troy has shown us just how shockingly easy some vulnerabilities are to exploit.

You might even have attempted to read the source European Parliament on General Data Protection Regulation 4.5.2016 L 119/1 only to find that the human nervous system was designed to violently reject exposure to such dense legalese.

Which is why we’ve translated every chapter and article of the GDPR into something a person might be able to reasonably understand and implement. If you need immediate assistance with your GDPR compliance, request a 1:1 Demo on how Varonis can help.

Get started below:


Chapter 1 – GDPR Basics


Article 1 – Who does the GDPR Apply to?

What it says

EU citizens data now has a variety of protections. If your organization has personal data of EU citizens, this applies to you.

So you should

If you’re in the EU, read the rest of this document and start working on your data protection processes.



Located elsewhere? Yes, The GDPR Will Affect You



Don’t believe me? Separate from any regulations, the GDPR is a very practical approach to how to handle all the different aspects of data security.



Even if you’ve personally determined that you don’t need to necessarily become compliant, you definitely need to protect your user’s data and implementing the GDPR guidelines will help you improve that.


Article 2 – What Data does the GDPR Apply to?

What it says

This covers any file or database that has a person’s name or an ID in it.

So you should

Start tracking all of the data stores that are used in your company across marketing, research, customer service, support, etc.



GDPR Overview


Article 3 – What countries does the GDPR Apply to?

What it says

It doesn’t matter what country the hard drive containing the data is in, if it is about an EU citizen the GDPR applies.

So you should

Know where your data is located and where your marketing is occurring. Is your mobile app (even the free version) available in the European app markets? Did the new “growth hacker” hire decide to put $20 into a trial display ad that happened to include an EU country?



Learn more about GDPR Territorial Scope




Article 4 – What do these new terms we made up mean?

What it says

Personal Data – anything that you could conceivably use to identify a person within a larger group. This is likely broader than you think they consider combining data to be personal. aka while being left handed necessarily call you out, being a left handed male making between 30k to 60k who lives in the village of Shropshire on Lee may well.



Profiling – learning anything about a person’s preferences or inclinations. Seems mostly concerned with predicting behavior or future actions.



Controller – if you’re reading this, most likely this means you. It’s whoever decides what to do with the data that’s been collected. If you run a website that uses any marketing or analytics services you’re a controller.



Processor – typically this is any company that the controller tells to handle their data for any purpose. If you run a website and use Google Analytics, Google is the processor as they are acting at your direction.




So you should

Start making a list of all of the outside entities that you use for analytics, marketing or anything else within your company. Note: because humans are digital pack rats, make sure you include things like Box, Dropbox, GDrive or on premise storage systems as they’ll inevitably have files in them like: “Top 10 most common support issues 2015” that are stuffed to the brim with people’s names and IDs.



You’ll also want to really start tracking down any external services used on your website, your web host, etc. you don’t want to go through this exercise only to find out that your site backups are stored on an internet accessible Pentium box running under someone’s desk.



A good example of this is how Paypal has listed the Category, Party, Purpose and what Data is disclosed to each partner: Paypal 3rd Party List


Chapter 2 – How to Implement GDPR


Article 5 – How to handle personal data

What it says

Personal data should be kept:


– Accurate and up to date


– Secured


– Transparent about how it’s going to be used


– Restricted to the minimum needed to do the job

So you should

  • Review what you’re doing with any collected data- Track where you received it- Get consent (opt in) for using it- Have a plan for deleting stale or out of date data


    For stale unstructured files consider using an automated application like the Data Transport Engine to continuously purge dangerous data.


Article 6 – You should get consent for that data

What it says

Tell people what you are going to do with the data. Do that. Don’t do things with it other than that.

So you should

Educate your whole staff on what are and are not appropriate uses for collected data.



Provide a contact point and procedure for who to contact if violations are found.


Article 7 – How to prove you got consent

What it says

– Be able to prove consent was given for data


– Don’t bury the consent and usage info


– Use plain language and be specific


– Seriously, don’t use the data for things they didn’t consent to

So you should

  • Update any email newsletter or contact forms with improved consent language and links to your online Privacy Policy and TOS- Set up internal documentation linking data to what has been consented.- Be prepared to prove that you have consent for your collected data


Article 8 – Kids can’t give consent

What it says

– Humans 16+ years of age and older can give their consent


– Under 16? You’ll need their parent or guardian to give consent


– The choose your DOB form used on things like mature movie trailers is probably not going to cut it.


– Not human? You have other problems than GDPR.

So you should

Add filters keeping out children and don’t track people until consent is given


Article 9 – What types of data are considered most sensitive

What it says

Unless required by some other law (employment or real estate) – don’t collect any data about race, politics, religion, union status, health data, sex life or sexual orientation.

So you should

Review the data you currently have on hand and make sure that none of these special categories of data exist and / or could be inferred from the data you control.



It’s important to also consider a seemingly innocuous data field like “hobbies” and what that might indicate about a person.


Article 10 – How to handle criminal data

What it says

Unless you’re working for a legal organization you shouldn’t keep any data regarding convictions, or offenses about a person.

So you should

If you’re one of those places doing “online criminal record checks” you should probably just shut down and open an Etsy store selling band posters.


Article 11 – How to handle data with no identification

What it says

If you can legitimately claim that you can’t track a person from the interaction – it’s ok to tell them and then not track them.

So you should

Consider something like an anonymous feedback box at a supermarket.



It’s data. It’s collected. But there’s no correlation with other sources or means of identification, so it’s ok to not get opt in consent.


Chapter 3 – People’s Data Rights


Section 1 – Don’t make things confusing


Article 12 – Be transparent about what you’re doing with data

What it says

Be honest with people, use plain language to describe what you’re doing with their data at the time you collect it.



If people ask for what data you know about them don’t take longer than 30 days (from the request being made) to respond.



If people start trolling by making a crazy number of requests or other abusive actions, it’s ok to deny the request (within reason) or to charge a small fee for it to be completed.



If you think someone might be scamming by making a fake request on behalf of a legitimate person, it’s ok to ask them to prove their identity in another way.



Providing information to people along with standardized icons would be nice, just make sure they’re machine-readable.

So you should

Run any copy you write by a non technical person (or professional copywriter) to see if it makes sense.



Consider checking with a tool like the BlaBlaMeter or WhiterRhino’s Marketing Detector Tool



Have a procedure in place to handle personal data requests to have their data deleted or fixed (note the 30 day deadline).




Section 2 – What you need to tell people about what you’re doing


Article 13 – When you collect data from people, make sure you tell them these things

What it says

In your online forms (or anywhere you collect data from people), provide:



– Contact information for the company (and ideally the Data Privacy Officer)


– Describe what you’re going to use the data for


– List what categories of data you’re collecting


– How long you’re going to keep the data


– How to contact you about issues or to remove the data


– If the data is going to be used for profiling and in general terms the logic involved.


– You just need to do all this the first time, if they fill out a second form 30 seconds after the first we can assume they haven’t forgotten it all yet.

So you should

Provide links to your Privacy Policy, TOS and GDPR communications page (which should include most of these points) at every form entry point.



Here are some good examples of GDPR communications pages:







Article 14 – You need to tell people what you’re doing even if you’re not collecting personal data.

What it says

All of the above should be available even if you’re not collecting personal information.

So you should

Same as above


Article 15 – What rights people have about their own data

What it says

– People are allowed to ask if you have their data and you need to respond whether or not you do.


– If you do have their personal data, you need to provide them on demand:


– Why you have it


– What categories of personal data you have


– Who in your organization or third-parties accessed it (in particular if they were in another country)


– How long you plan on keeping their data


– That they’re able to request to have their data deleted or fixed as requested


– Source of where data was obtained


– That they have the right to lodge a complaint with the EU Commission if they’re displeased with your response.


– Unless something weird is going on, provide the data electronically


– Don’t compromise other people’s data while doing this

So you should

Be able to answer the questions listed here about the data you have on hand. In particular, the source, how long you have it and what steps to take if there are issues, errors or if they want it deleted.



If you haven’t already, pick an existing customer and run through the exercise of pretending they sent you a so called nightmare letter that would fully exercise all of their rights under the GDPR.


Section 3 – Fixing and Deleting Data


Article 16 – People can ask you to fix their data

What it says

If someone identifies a problem with your data about them, you need to fix it.

So you should

Have a procedure in place to handle information update requests.


Article 17 – People can ask you to delete their data

What it says

If any of the following apply, you need to be able to remove their data from your system ‘without undue delay’ which while they don’t come out and say it here, probably means within in 30 days.


– They withdraw consent (aka they feel like it) and there’s not a legal reason to keep it


– Data has been unlawfully processed (used for a purpose beyond what it was intended)


So you should

Have a procedure in place to handle data deletion requests.



This is generally considered described as The Right to Be Forgotten


Article 18 – People can ask you to pause what you’re doing with their data

What it says

People can request that their data be kept, but not worked with if that is what makes sense for a legal claim or while things are sorted out.



This is conceptually similar to a work stoppage on a construction site. Nobody is asking that you fill in the excavated foundation or pull out the pilings, but you can’t proceed with adding new floors or wiring the place up.

So you should

Have a procedure in place to handle data stoppage (pause) requests.


Article 19 – If you are making mass corrections to people’s data you need to tell them

What it says

If you have to do a bulk rectification, erasure or restriction (pause in processing) on a user data you need to inform them.

So you should

Be aware of scenarios that would escalate to this and require notice. For example, if a single person found an issue with your data collection that you then needed to perform on all of your data, you would need to notify all affected.


Article 20 – People can ask for their data to be exported in a nice format

What it says

People can request the data that you have about them


The data should be machine readable (CSV, XLS, XML, JSON).


The data should be structured and the entire process automated if possible


So you should

Start working on data export features to pull all of a user’s associated data out of your system and into an export format.



You need to handle unstructured data as well as data held in a database.



How to find GDPR data in Word, Excel, Exchange and Sharepoint






Section 4 – People can ask for human intervention in machine made decisions and opt out of being profiled


Article 21 – People can opt out of being profiled or being presented with filtered information

What it says

People can object to “profiling”, shaping content or what’s presented to them and request to be opted out.

So you should

Have an opt out system in place to stop remarketing, profiling, etc.


Article 22 – People can ask for a human to make a determination about themselves

What it says

People can opt out of entirely machine made decisions about themselves.

So you should

Have a system for manual review of automated processes and notifications in place.


Section 5 – Restrictions


Article 23 – Situations where this doesn’t apply

What it says

Individual countries can make laws that change these regulations for a bunch of cases like national security, etc.

So you should

You probably don’t have to worry about this if your job title isn’t “Minister of Security” or “Head of DHS”


Chapter 4 – Controller and Processor


Section 1 – What you need to do


Article 24 – What Controllers need to do

What it says

You need to document what you’re doing to comply with GDPR and be and be able to prove that in cases where it’s not self evident.

So you should

Keep a record of GDPR training, procedures, steps taken, etc.


Article 25 – Consider data protection and security before you do things

What it says

You shouldn’t collect more data than you need and what data you do collect you need to pseudonymise.

So you should

Educate your teams on privacy and data protection by design.



Checkout the Privacy by Design Cheatsheet



and Pseudonymization as an Alternative to Encryption


Article 26 – How to handle data sharing

What it says

If you’re sharing your data with another organization, you both need to agree who is responsible for what.

So you should

Get data sharing agreements in writing and clearly spell out responsibilities.


Article 27 – Do you need to hire someone who lives in the EU?

What it says

If you’re routinely collecting data (and for sure if it’s special category or criminal data) you need to designate a person in the EU as your representative for these matters.

So you should

Hire someone who resides in an EU country.


Article 28 – What Processors need to do

What it says

Services (Processors) that you (as the Controller) use need to be GDPR compliant.



They also aren’t allowed to put personal data into a non EU data center or transfer it to another third party without your say so.

So you should

Make sure all the services you use are GDPR compliant.



Most services should now have some page on their website that indicates their GDPR compliance status. On your own GDPR compliance page you should list and link to theirs.


Article 29 – Processors can only do what they’ve agreed to do with data.

What it says

Services that have been given personal data for processing should only work with the data as instructed.

So you should

If you’re not a processor, this doesn’t apply to you. If you are, then don’t engage in any speculative cross customer analysis, sell the data for other purposes, etc.


Article 30 – You need to keep track of what you’re doing with data

What it says

You need to track what is happening with personal data across your organization and any services it goes to. Including to what purpose.



If you have less than 250 employees and aren’t collecting data every day and aren’t dealing with special categories or criminal data you don’t have to do do this.

So you should

Figure out which data is sensitive, who can access it, and setup auditing so that you have a record of exactly what is happening to that data and can alert and investigate anything suspicious.


Article 31 – You need to cooperate if an authority asks you to

What it says

If your countries supervising authority asks to see your GDPR homework, you need to show them.


So you should

Be sure to document all of the steps you’re taking for GDPR compliance.



Perhaps more importantly you need to handle complaints from people regarding their data seriously as they may well escalate into fines and investigations.


Section 2 – Data security


Article 32 – Here’s the minimum you should do to keep your data secure

What it says

You should keep data secure.


– Encrypted at rest


– Ability to restore/recover from disaster


– Regular testing for security issues


– Take extra care to consider data breaches and consequences

So you should

Implement modern digital security methods.



– Secure Data Storage


– Entitlement reviews


– Data Breach plans


Article 33 – If you have a data breach, you need to notify the supervising authority

What it says

Once you become aware of a data breach (loss of data control) you have 72 hours to notify the [supervisory authority](

So you should

Have a data breach response plan.



Have a method of reporting security issues internally.




Article 34 – If you have a data breach, you need to inform people

What it says

You need to tell people ‘without undue delay’ if their data has been breached.



This will likely be determined to be within 72 hours (matching the supervisory authority timeframe)

So you should

Have a data breach incident plan ready to go.



Have a method of notifying users.



Read the Guide to the EU GDPR Breach Notification Rule


Section 3 – Consider and document how what you do may affect data security


Article 35 – You should write up a data protection impact assessment before new projects

What it says

Before you bring on new services to deal with data, you should figure out what impact that will have on security in terms of what exactly they are going to do with the data, an in particular if they’re doing to do profiling/filtering based on the data.

So you should

Document what impact each new service might have on your internal data protection efforts.


Article 36 – You can ask for permission and guidance.

What it says

If you’re doing some kind of data processing that would put data at risk, you need to consult with the supervising authority beforehand.



They’ll give you a written response within 8 weeks. Fun.

So you should

If you’re doing something like releasing an “anonymized” dataset that may still have some privacy impacts, you should get prior approval from the supervising authority.


Section 4 – Data Protection Officer


Article 37 – You should designate a data protection officer

What it says

There needs to be a single point of contact within your organization who can field requests about GDPR related items.

So you should

You need to designate a Data Privacy Officer.



They should be a competent Infosec professional who can address concerns and has the tools to act on requests.



More reading:



Do You Have to Hire a DPO?



DPO Requirement


Article 38 – What the data protection officer should handle

What it says

The DPO needs to be involved with data processing tasks and taken seriously.



– They can do other tasks, as long as they don’t have a conflict of interest.

So you should

Many organizations already have a CISO (Chief Information Security Officer) and it’s likely that may CISOs will pick up DPO responsibilities as well.



Whatever the title, what’s important is that data privacy and security concerns are considered within whatever projects happen in your organization.


Article 39 – What the data protection officer should do

What it says

The DPO should advise the company on how to comply with the GDPR on an ongoing basis.

So you should

Don’t treat your DPO like a mushroom farmer.


Section 5 – Trade groups can create codes of conduct and certifications


Article 40 – What’s a Code of Conduct?

What it says

Industries should draw up codes of conduct describing how GDPR regulations should be implemented within a specific industry.



For instance, the Pan European Game Information association might issue a Code of Conduct describing how game developers should handle the data they collect about gamers. In the same way they make recommendations about video game content around language, violence, and age ratings, they could make recommendations about how user data should be handled.



This makes a lot of sense as what they’re doing has a very different relationship with personal data than other industries like aluminium smelting or car repair.

So you should

You should check if there are any codes of conduct that your trade organization have published.



Codes of Conduct are still being developed and for the time being appear to be voluntary. It is something to keep an eye on as that may change or compliance may become entwined with other industry certifications or requirements.



For instance, PEGI ratings are not required for new video games, but the vast majority of retailers won’t stock your game in their store without one.



Similarly, there may come a time when PEGI releases a Code of Conduct describing the data protection standards needed to meet certification.


Article 41 – Associations can monitor Codes of Conduct

What it says

Associations (like PEGI in the above example) may monitor organizations to see if they’re complying with their published Code of Conduct.

So you should

If a Code of Conduct is available in your industry the association has final say over whether or not you meet the requirements of it.


Article 42 – Associations can certify that people meet the Code of Conduct

What it says

Associations can establish certifications (a stamp of approval) that can be granted to organizations who meet the terms of the Code of Conduct

So you should

Check if a certification is available for your organization.


Article 43 – Certifications need approved

What it says

Certification groups need to be approved by the supervisory authority.

So you should

Check if the certification you’re working towards has been approved by the supervisory authority


Chapter 5 – How to handle transferring data out of the EU and GDPR


Article 44 – Generally you should get permission

What it says

You should get permission before transferring data.

So you should

Have a process in place for documenting data transmission actions and agreements


Article 45 – Countries that aren’t in the EU but have their own GDPR like requirements

What it says

If the Commission says another country meets their rules, you don’t need the permission to transfer there.

So you should

Check what countries are included before going through the transfer agreements.


Article 46 – You have to consider data safety in transferring data to another country

What it says

If you transfer data to another country it will need to have adequate data safety laws and guarantees.

So you should

Read the fine print on each country’s approach to data safety.


Article 47 – Non EU companies can create their own strict data handling rules to be GDPR compliant

What it says

If a company that is not in the EU wants to handle EU data they can create binding corporate rules that match the GDPR regulations.



If these are strictly followed then it could be ok to transfer data to them out of the EU.

So you should

If you are planning to work with a company outside of the EU/GDPR requirements, find out if they have corporate rules that could make them GDPR compliant.


Article 48 – How to handle international legal data disputes

What it says

If a judge orders data to be transferred it needs to not violate international law.

So you should

It seems odd to have to write this, but “don’t violate international law”


Article 49 – A fallback for when the country you’re trying to transfer to has no data rules

What it says

If there’s no rules in the country you’re transferring data to, you need to at least get the user’s permission first (or have another good reason)

So you should

If you’re following the other directives to get user consent before taking action, you should be covered for this as well.


Article 50 – We would like countries outside the EU to work with us

What it says

Countries should get along.

So you should

Hope they do get along, it would make all of our jobs easier.


Chapter 6 – Supervisory Authorities (the agency that monitors GDPR within your country)


Section 1 – Independent Status


Article 51 – What a Supervisory Authority should do

What it says

Countries should monitor whether companies are paying attention to these GDPR rules.

So you should

You should find out what agency or division within your country is handling GDPR enforcement.


Article 52 – Supervisory Authorities shouldn’t have conflicts of interest

What it says

Supervising authorities shouldn’t take bribes or have conflicts of interest.

So you should

Refrain from bribing your supervising authority. This isn’t FIFA.


Article 53 – How to get a job working within a Supervisory Authority

What it says

The people in the supervising authority should be appointed by the government.

So you should

No need to run a political campaign, the people are appointed not elected.


Article 54 – Core Supervisory Authority rules

What it says

It’s up to each country to figure out the job requirements and terms for the people in the supervising authority.

So you should

Polish up that LinkedIn resume and start looking at the ads in the Economist for a hot new career in authoritative GDPR supervising.


Section 2 – Competence, Tasks and Powers


Article 55 – Competence

What it says

There’s a lot of technical details involved with GDPR (encryption, data storage and transfer). The people who have oversight on this should be able to understand the concepts at play in the field of data security.

So you should

Check out the Troy Hunt courses on Web Security Fundamentals, Computer Security and the GDPR attack plan.


Article 56 – Competence of the lead supervisory authority

What it says

Supervising authorities should handle issues that mostly happen in their own countries.

So you should

While the GDPR is EU wide, your interactions with it will most likely be with the supervising authority of your own country.


Article 57 – Tasks

What it says

If you’re a Supervisory Authority, you should hear complaints, promote data safety and be a force for good in the efforts of data safety and security.

So you should

There’s nothing you directly need to do with respect to this article, but I think it’s nice that they aspirationally added it anyway.



It at least gives me hope that the supervising authorities will do more than draconically enforce GDPR requirements.


Article 58 – Powers

What it says

Supervision Authorities can issue warnings to companies, force companies to issue data breach notices, withdraw certification, order the suspension of data flows.

So you should

If you’re in communication with your authority, they can cause your organization significant distress. Listen to them.


Article 59 – Activity reports

What it says

Every year you should publish a report to the public stating what actions you have taken.

So you should

You should do your best to keep your company off of this report.


Chapter 7 – Cooperation and consistency


Section 1 – Cooperation


Article 60 – Cooperation

What it says

Supervising Authorities should help each other out


Article 61 – Mutual assistance

What it says

Supervising Authorities should share their information and requests with one another.


Article 62 – Joint operations of supervisory authorities

What it says

If an incident or investigation calls for it – supervising authorities should conduct joint investigations.


Section 2 – Consistency


Article 63 – Consistency mechanism

What it says

Hold onto something. We’re about to tell you how to cooperate.


Article 64 – Opinion of the Board

What it says

For specific issues like new requirements, criteria or corporate rules these need to be approved by the Board


Article 65 – Dispute resolution by the Board

What it says

The Board with handle disputes between SAs


Article 66 – Urgency procedure

What it says

If some new technology or process is developed (like quantum brain data telepathy) that’s outside the bounds of current regulations, and it’s time sensitive, the SA can implement a new regulation without going through the Board.

So you should

Refrain from inventing any technologies that will disrupt the secure communications infrastructure and data storage of the world’s economy. AKA no practical quantum computing


Article 67 – Exchange of information

What it says

The Commission will figure out how to get supervising authorities to securely share information with each other later.

So you should

Find out if the Commission sorted out how to do this in a GDPR compliant manner.


Section 3 – European Data Protection Board


Article 68 – European Data Protection Board

What it says

There is now a European Data Protection Board (because we said so). Every country gets to pick one person from their supervising authority to be on it.

So you should

Find out who your country’s representative is and wish them luck with this new endeavor.


Article 69 – Independence

What it says

The Board is a strong independent Board that lives life on its own terms and doesn’t take guff from anybody.

So you should

Respect the Board.


Article 70 – Tasks of the Board

What it says

We’re going to make guidelines for your guidelines.

So you should

Read the guidelines.


Article 71 – Reports

What it says

Every year there will be a public report of our activities which will include practical suggestions and best practices.

So you should

Look for this report as when it comes out it could be genuinely useful and informative.


Article 72 – Procedure

What it says

Most votes wins for decisions, but if you want to change the rules you need a 2/3 vote.

So you should

Start lining up a super majority of representatives if you want to make substantive changes to the GDPR regulations.


Article 73 – Chair

What it says

There will be a chair and two deputies who are elected. 5 year term. 2 term limit.

So you should

Find out who the chair of the committee is and follow them on Twitter.


Article 74 – Tasks of the Chair

What it says

Hold meetings. Talk to the lead supervising authorities.


Article 75 – Secretariat

What it says

The secretariat will handle the day to day business

So you should

Keep it firm in your mind that this is a serious and responsible position held by a respected individual within an august institution and not the horse that won the Triple Crown in 1973.


Article 76 – Confidentiality

What it says

Board business can be confidential if it’s sensitive.

So you should

Opt to not hack the Board. That would be in poor taste.


Chapter 8 – Remedies, liability and penalties


Article 77 – Right to lodge a complaint with a supervisory authority

What it says

Anyone can make a complaint to the supervising authority about any company that is in possession of their data.



The supervisory authority needs to take this complaint seriously and keep the person making the complaint updated on their investigation into the issue.

So you should

You don’t need to take any direction action with respect to this article, but it underlines one of the primary ways that you and your organization may come to the attention of your supervising authority.



In particular, you should note that it’s a requirement of your GDPR compliance that you inform and direct people to the supervising authority where they can make a complaint.



– Look up the Data Protection Authority in your country and note the others in case you’re contacted by one.


Article 78 – Right to an effective judicial remedy against a supervisory authority

What it says

Individuals can sue the supervisory authority if they feel that their complaint wasn’t appropriately handled.

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).



However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.



It’s explicity writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.


Article 79 – Right to an effective judicial remedy against a controller or processor

What it says

Users have a right to a “judicial remedy”

So you should

Involve your corporate legal counsel as you could be brought to court in parallel with or as an escalation from a complaint.


Article 80 – Representation of data subjects

What it says

Users can create a non profit legal entity to more effectively sue companies (controllers and processors) together in court.

So you should

Be prepared to get lots of class action lawsuit emails.


Article 81 – Suspension of proceedings

What it says

If a controller is being sued in another country the case in the starting country can be suspended.

So you should

Good luck to you if you’re a controller or processor embroiled in lawsuits in multiple countries simultaneously.


Article 82 – Right to compensation and liability

What it says

1. Who can receive compensation?


Anybody who had their data right infringed (even if they weren’t directly harmed)”



2. Who is liable?


Any controller or processor who messed up. ”




3. Any outs?


If you can prove that you were not in any way responsible (including negligence) then you’re stuck.”




4. How is compensation split?


Where multiple entities are responsible. They are all each responsible for the full payment.”




5. Claim backs?


After a processor/controller has paid the user they can sue each other in court about who is really liable.”




6. What jurisdiction is this?


The country you’re in.

So you should

Significant thought and weight has been put into the GDPR describing exactly how you and your organization are going to pay out fines.



The process greatly favors the individual raising a complaint against you.


Article 83 – General conditions for imposing administrative fines

What it says

Fines for violations shall be “effective, proportionate and dissuasive”



Depending on how well you’ve been securing data and getting user consent this could be millions of dollars or 2% of your revenue.

So you should

Do all you can to comply with GDPR regulations as this isn’t a lightswitch of fine/no fine.



It is a sliding scale that takes into account what you’re doing with the data, what controls are in place, documentation, processes, etc.


Article 84 – Penalties

What it says

Countries can add on fines above and beyond what is laid out here.

So you should

Limber up your checkbook.


Chapter 9 – Provisions relating to specific processing situations


Article 85 – Processing and freedom of expression and information

What it says

Supervising authorities can’t hinder journalists, academic or artists freedom of expression with their rules (in general).

So you should

If you’re dealing with data that is generally in the public interest you should look more closely at your data handling procedures.


Article 86 – Processing and public access to official documents

What it says

Governments and entities still need to hold onto your information if it’s in the public interest.

So you should

Not expect to be able to get out of a parking ticket by invoking the Right to be Forgotten.


Article 87 – Processing of the national identification number

What it says

Each government needs to set rules on how their National ID is treated

So you should

It’s not sufficient to just treat your own country’s ID information as personal and sensitive. You need to find and alert on the IDs from each EU country.


Article 88 – Processing in the context of employment

What it says

Governments can set more specific laws around employment data

So you should

Employment data in your organization’s HR department may well be kept in a separate system than your user data. It has its own set of rules governing access and what needs to happen with it under GDPR.


Article 89 – Data kept in the public interest (for scientific or historical purposes) may be exempt

What it says

Archiving in the public interest can occur, but needs to be deliberately safeguarded

So you should

It’s unclear how exactly the limits of archiving in the public interest will be set.



But if you’re doing work in a protected area it’s likely that the supervisory authority will recognize that.


Article 90 – Spies have their own rules

What it says

Intelligence agencies get their own set of rules

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).



However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.



It’s writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.


Article 91 – Faith based exemptions

What it says

Religious institutions have some special exemptions

So you should

If you’re a church, mosque or other religious organization, the existing privacy laws you operate under apply in addition to the GDPR.


Chapter 10 – Bureaucratic Legalese


Article 92 – Exercise of the delegation

What it says

This is all subject to change if we’re ordered to do so


Article 93 – Committee procedure

What it says

The Commission has a committee


Chapter 11 – Final provisions


Article 94 – Repeal of Directive 95/46/EC

What it says

The old privacy and data regulations are out GDPR is in


Article 95 – Relationship with Directive 2002/58/EC

What it says

GDPR needs to fit in with these old regulations


Article 96 – Relationship with previously concluded Agreements

What it says

Any one off international agreements are dead. Long live GDPR!


Article 97 – Commission reports

What it says

Every 4 years the Commission will report on the status of the GDPR.


Article 98 – Review of other Union legal acts on data protection

What it says

There may be some inconsistencies with other legal acts. The Commission will work to smooth those out.


Article 99 – Entry into force and application

What it says

Judgement Day is May 25th 2018


This content is provided as general non-legal information and does not constitute individualized advice. Please consult with your legal advisors as to the particular implementation on your company

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

A Year in the Life of the GDPR: Must-Know Stats and Takeaways
This review of the GDPR covers how it's changed the way industries and individuals function online through GDPR stats, fines and policies of this past year
Using Salesforce Analytics for GDPR Compliance
GDPR compliance can be stressful. This guide shows you how to use Salesforce Analytics to comply with GDPR regulations by walking through common use cases.
Frequently Asked Questions (FAQ): GDPR and HR/Employee Data
As I wrote in another post, HR records are considered personal data and covered under the General Data Protection Regulation (GDPR). Since I keep on hearing from people who should...
What is the EU General Data Protection Regulation?
Table of Contents DPD 2.0 GDPR Vocabulary Articulating the Articles More Articles: The New Stuff Focus Your GDPR Compliance Note: This post now reflects the final version of the EU...