search Where Thought Leaders go for Growth

What is the GDPR? Find out everything you need to know

What is the GDPR? Find out everything you need to know

By Anaraya Albornoz

Published: 28 April 2025

What is the General Data Protection Regulation (GDPR)? Are you still unclear about the General Data Protection Regulation (GDPR)? Have you just started your own business? You may have heard of the GDPR. Maybe you even know that this text is related to a personal data law .

To help you see it more clearly, we offer you an article with everything you need to know about this regulation.

GDPR: what is it?

The General Data Protection Regulation(GDPR) is the European framework for the processing and treatment of personal data.

European companies or companies that deal with EU citizens ' data rely on this regulation to provide services and products. The text, called GDPR in English, entered into force on 25 May 2018.

What is personal data?

Before we know how it affects our company, we need to be clear about what we mean by personal data. Some examples of personal data are:

  • Gender.
  • Age.
  • Telephone number.
  • E-mail address.
  • Salary or remuneration.
  • Photograph of face.
  • postal address
  • Marital status.
  • Username and password.
  • Bank card number.
  • Social security number.
  • Use of eyeglasses (and degree of correction).
  • Any physical characteristics.
  • Any psychological characteristics, etc.

But, this regulation also affects sensitive informationcollected, for example, to monitor or manage a place open to the public:

  • Political opinion.
  • Trade union activity.
  • Religious (or agnostic) belief.
  • Sexual preferences.
  • Medical information.
  • Biometric analysis.
  • criminal convictions
  • Data relating to a minor.

Any collection of information for the purpose of consumer profiling must also be protected and be within the framework of transparency imposed by law:

  • Data collected on the internet through cookies.
  • Analysis of identified user behaviour on the website (behavioural data).
  • Online and offline consumption habits.
  • Advertising retargeting practice.
  • Metadata related to an individual.

Whether collected and used through a secure online platform, on the Internet or elsewhere, all personal data should benefit from the protection safeguards laid down by European law:

The principles related to data protection should apply to any information relating to an identified or identifiable natural person.

Source: Directive (EU) 2016/680 of the European Parliament and of the Council on the GDPR published in the Official Journal of the European Union on 27 April 2016.

© Coregistros Blog

How does the GDPR work in the business world?

Is my company affected by the GDPR?

Your organisation must be compliant with the new regulation if in the course of its business it uses at least one of the following words: prospect, customer, employee, colleague, patient, taxpayer, citizen, user, user, member, donor.

Another way to find out is to ask yourself whether you manage data from a CRM software, an online platform, an archive or whether you collect, process and use private data of European citizens. As the aim of the GDPR is to protect the citizen, there is a 99.9% chance that your company will be affected!

The European Data Protection Regulation applies to the following companies and organisations:

  • SMEs,
  • Local authorities, administrations.
  • Companies (human resources managers, those responsible for processing customer data).
  • Associations (professional, political, religious, etc.).
  • Hospitals and medical professionals.
  • The person responsible for hosting a website.
  • Cloud backup companies.
  • Data storage services.
  • Publishers of software or computer systems installed in companies.

How should I behave if I am affected by the GDPR?

The right to dispose of personal data includes that the company must offer the following options:

  • Portability of your data: an EU citizen must be able to transfer their data to one service in order to communicate it to another.
  • Transparency in the use of their data: citizens must be informed about how their data is used. They should be able to access and modify their data as they wish.
  • Children under 16 are protected: on the internet, any platform must obtain a parent's consent before their child can register.
  • The right to be forgotten: in accordance with the principle of respect for private life, citizens can demand the complete removal of a website from the results of a search engine (page de-indexing).

This new regulation makes the company responsible: it becomes the data controller and must provide proof of compliance with the documentation. This principle is known as Accountability.

These are the main obligations that must be fulfilled and documented to comply with the GDPR:

  • Maintain a record of data processing comprising: controllers, nature of data, purposes, a classification of processing, duration of storage, flow and transfer of geographic data to establish data traceability.
  • Conduct a data protection analysis (PIA - Privacy Impact Assessment): this comprehensive study identifies the risks of data loss or leakage, their causes, and lists the technical means and solutions required for protection and security.
  • Implement internal procedures: educate employees and establish best practices, implement all mandatory processes allowing the data owner to exercise their rights (rectification, portability, deletion, etc.).
  • Implement technologies that ensure confidentiality and data security: it is required to detail in writing all procedures, and it is strongly recommended to integrate a high level of security and confidentiality when designing a processing and linked technology, this approach is called Privacy by Design.
  • Monitor the transfer of data outside the EU: check contracts with subcontractors and suppliers, make sure they are GDPR compliant to avoid any risk.
  • Retain evidence of consumer or user consent.
  • Detail the procedures in place in case of a data breach: you must notify the data subject as soon as possible and inform the supervisory authority within 72 hours.

The actors responsible for protection: GDPR in Spain

This regulation provides the citizen with a protection authority in the event of finding anomalies in the management of his or her personal data. The supervisory authority in Spain is the AEPD or Spanish Data Protection Agency. This body issues certifications, carries out controls and imposes sanctions on companies in case of non-compliance with the regulations.

These are the main actors in compliance with the GDPR:

  • The company using personal data: controllers and processors must adopt a transparent code of conduct, implement compliant procedures and provide documentary evidence in case of an inspection.
  • The DPO (Data Protection Officer): this expert works for the company, his mission is to ensure the best data protection. His or her mission is to support the company in complying with the GDPR.
  • Subcontractors: they assume part of the responsibility as soon as their activity is related to data processing; whether the head office is in Europe or elsewhere in the world.

Legal framework of the GDPR

Directive (EU) 2016/680 of the European Parliament and of the Council on the GDPR was published in the Official Journal of the European Union on 27 April 2016, and entered into force as of 2018. The articles developed in the organic law specific important concepts:

  • Article 4 - Principles relating to the processing of personal data: emphasises in particular the legal aspects of processing, the relevance of the data collected in relation to the purpose of use, as well as a reasonable retention of information over time (12 months).
  • Article 28 - Prior consultation of the supervisory authority: indicates that the data controller must provide an impact assessment to the supervisory authority upon request. This authority assesses the data protection conditions.
  • Article 32 - Appointment of the Data Protection Officer: obliges any company to have a data protection officer (in addition to the data controller) with expertise in technical and legal matters, able to report to the supervisory authority to which he or she reports.
  • Article 37 - Transfers with appropriate safeguards: stresses that the transfer of personal data to a country outside the European Union subjects the controller to inform the supervisory authority and to make available to it documentation specifying "appropriate safeguards" on data protection.

Penalties for breaches of the GDPR

The fines are undoubtedly high, however, we should not forget the damages that every citizen can claim: in addition to the financial loss, the repercussions on the company's image can destroy its reputation and affect its business as a result of the loss of customer confidence.

10 million: if the supervisory authority determines that the company does not comply with obligations such as impact assessment (EIPD) or keeping a record of processing, it will be subject to a fine equivalent to 2% of annual worldwide turnover.

The fine can be up to €20 million: if the supervisory authority determines that the company does not comply with its obligations under the consent principle and does not respect the rights of individuals, the fine can be up to 4% of annual global turnover.

Benefits of GDPR data protection

Although it may seem costly to comply with this regulation, the benefits of GDPR for a company or organisation are manifold from many perspectives. The security requirement will make us more trustworthy for customers, creating a very favourable business climate. Another aspect to take into account is that this regulation standardises processing activities across the European Union. And, especially if you are in marketing, you will have more secure and reliable data, which will translate into better campaigns.

Modified article, originally published in February 2020

Article translated from Spanish