GDPR and Data Protection 101 for Organizations

What is the GDPR?

The General Data Protection Regulation (GDPR) is the EU law that governs how personal data of individuals in the European Union may be collected, stored, used, and shared. It applies to any organization; inside or outside the EU that processes personal data of EU residents. For organizations, this means every customer, employee, or supplier record that can identify an individual falls under GDPR protection.

What is personal data?

Under Article 4(1) of the GDPR, personal data means any information that identifies or can identify a living person, directly or indirectly.

Examples include but are not limited to the following.

• Customer and employee data - names, email addresses, ID numbers, and payroll records.
• Digital data - IP addresses, device identifiers, and online behaviour patterns.
• Visual and audio data - security footage, photos, and recorded calls.

Some types of information; called special categories of personal data; require extra protection, including the following.

• Health information.
• Biometric and genetic data.
• Racial or ethnic origin.
• Political, religious, or trade union data.
• Sexual orientation or life details.

Even if your data does not fall into these categories, data misuse can still create legal and reputational risk.

Notably, not all data is considered personal under the GDPR.
The following data do not fall within the GDPR's scope.

• Data about organizations (e.g., a company name, business registration number, or generic corporate email such as info@company.com).
• Data about deceased individuals: GDPR only protects data related to living, identifiable people.

Below the figure 1, explains the components of personal data.

Figure 1 illustrates the components of personal data.

Key roles and responsibilities

Every organization needs to clearly define who does what under GDPR, which are defined in Article 4:

• Data processor -  "means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;" 

  For instance, a cloud storage provider, is a data processor because it only stores and manages personal data on behalf of another organisation and does not decide why the data is collected or how it is used. It simply follows the controller’s instructions about how the data should be handled and secured. Similarly, a payroll company acts as a data processor because it processes employee salary and tax information strictly based on the instructions from the employer. The payroll company does not choose what employee data is collected or why; it only performs the processing tasks the employer has asked it to carry out.

• Data controller - "means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;"

  For example, a hospital is a data controller because it decides what patient information must be collected, why it is needed, and how it will be used. Furthermore, the hospital determines the medical records it keeps about a patient’s diagnosis, treatment, and history, and it sets the rules for how this information is stored and accessed. In addition, a government authority is also a data controller because it decides what citizen data is required to carry out legal duties. For instance, a local government may collect personal information for issuing passports, managing tax records, or providing social services, and it determines the purposes and procedures for processing this data under its legal mandate.

• Data subject -  "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" 

  For example, a patient visiting a hospital is a data subject because their personal and medical information; such as their name, health history, diagnosis, and treatment details; is collected and processed by the hospital. The patient is the individual to whom the data belongs. Likewise, a citizen interacting with a government authority is a data subject. When someone applies for a passport, files taxes, or requests social benefits, the government processes their personal information, making that individual the data subject.

  A customer using an online service is also a data subject, because their personal details; such as email address, purchase history, or account information; are processed by the organization offering the service. Similarly, an employee of a business is a data subject when their employer collects and processes information about their salary, performance, or benefits. In both cases, the individual whose data is being processed is the data subject.

Having these roles formally documented is essential for compliance and accountability.

Six legal basis for processing data under the GDPR

The GDPR requires organizations to have a legal basis for every processing activity involving personal data.
In other words: you must be able to explain why you are using someone’s data; and on what lawful grounds.

Below are the six legal bases outlined in Article 6 of the GDPR, explained in simple, practical terms for organizations.

1. Consent 

You have obtained clear and explicit consent from the individual to process their data for specific purposes.

Examples include but are not limited to the following.

• Email newsletters or marketing sign-ups.
• Customer feedback surveys.
• Optional biometric or facial recognition programs.

Here is a tip - Consent must be freely given, specific, informed, and withdrawable.

2. Contractual necessity

Processing is lawful when it is necessary for the performance of a contract with the individual.

In simpler terms, this means you can process personal data that are directly required to deliver what has been agreed in the contract.

Examples include but are not limited to the following.

• Managing employee payroll or benefits.
• Processing a purchase order and delivering goods.
• Providing an online subscription or service access.
• Responding to a pre-contract request or quotation.

However, be careful not to over-collect or overuse data.
You must not process personal data that are not strictly necessary for performing the contract.

If you wish to process additional personal data; for example, for marketing, analytics, or service improvement; you will need:

• Consent from the individual, or
• Another valid legal basis under Article 6 GDPR.

The only exception is when the new use qualifies as a compatible further processing; meaning it aligns closely with the original purpose and does not infringe on individuals’ rights or expectations.

In short:

Process personal data strictly to carry out the contract.
If the data is not required for that purpose, rely on a separate lawful basis or demonstrate that the further processing is compatible with the original purpose.

3. Legal obligation

Processing is required to comply with the law, not contract terms.

Examples include but are not limited to the following.

• Reporting employee income to tax authorities.
• Maintaining health and safety records.
• Complying with employment or financial laws.

4. Vital interests

Processing is necessary to protect someone’s life or physical safety; used only in emergencies.

Examples include but are not limited to the following.

• Sharing medical data in a workplace emergency.
• Contacting next of kin during an accident.

5. Public task or official authority

Processing is carried out in the public interest or under official authority.
Mostly applies to public bodies or organizations acting on behalf of public authorities.

Examples include but are not limited to the following.

• Health and safety inspections.
• Public education services.
• Social service programs.

6. Legitimate interests

Processing is necessary for your organization’s legitimate interests, as long as those interests are not overridden by individual rights.

Examples include but are not limited to the following.

• Fraud prevention.
• Network and data security.
• Customer relationship management.
• Direct marketing to existing customers (soft opt-in).

How to choose the right legal basis

Before collecting any personal data organizations can carry out the following activities.

1. Identify your purpose for processing.
2. Select one legal basis that fits.
3. Document it in your internal compliance records (i.e., your data management plan and or your record of processing activities).
4. Communicate it clearly in your Privacy Notice.

Table 1 shows examples of activities and their corresponding legal basis.

Here is the takeaway

Every data process in your organization; from marketing to HR; must rest on one lawful foundation.
Choosing and documenting that foundation is the vital for GDPR compliance.

If you can’t explain the legal basis for processing, you should NOT be processing the data.

The GDPR principles

GDPR’s Article 5 defines six core principles that must guide every aspect of data management.
Think of them as the foundation of responsible data handling. 

1. Lawfulness, fairness, and transparency – Be open, honest, and lawful in how data are used.
2. Purpose limitation – Collect data for specific, legitimate purposes only.
3. Data minimisation – Collect only what is necessary.
4. Accuracy – Keep data correct, complete, and up to date.
5. Storage limitation – Retain data only for as long as needed.
6. Integrity and confidentiality – Protect data from loss, alteration, or unauthorized access.

These principles are the backbone of every GDPR-compliant data policy.

Real GDPR case studies - Lessons from major enforcement actions

GDPR is simply not theoretical. Regulators across the EU actively enforce it, as well as organizations of all sizes; from global platforms to small businesses; have received significant penalties. Below are real-world examples that illustrate how violations occur and what organizations can learn from them.

Meta Platforms (Facebook) – €251 Million Fine

In December 2024, Meta was fined €251 million by the EU regulator for a 2018 breach affecting 29 million users (about 3 million of them in the EU and European Economic Area). A vulnerability in the View As feature exposed personal data including names, contact details, location information, and other sensitive attributes.

Key lessons learned are described below.

• Privacy-by-design is essential and should be incorporated in systems from the onset rather than being an after thought.
• Even large organizations face heavy penalties.
• Documentation and timely breach notification matter.

Clearview AI – €30.5 million fine for biometric processing

The Dutch Data Protection Authority fined Clearview AI (an American company) €30.5 million for scraping images of EU residents to build a facial recognition database without consent or transparency. Because biometric data is special category data, the risks and compliance requirements are significantly higher.

Key lessons learned are discussed below.

• Special category data requires explicit consent or a strict legal basis.
• Transparency is non-negotiable and must be prioritized.
• Global companies must comply with the GDPR even without a physical EU presence.

LinkedIn – €310 million fine for unlawful advertising processing

In October 2024, LinkedIn was fined €310 million for processing user data for targeted advertising without a valid legal basis under Article 6.
The issue was not a data breach; it was improper internal use of personal data.

Key lessons learned are articulated below.

• You must clearly document the legal basis for every processing activity. Without a proper legal basis there exists a serious violation of the data subject's fundamental right to data protection.
• Legitimate interests cannot be assumed. Transparency is therefore essential to ensure that data subjects are fully informed about the scope and purpose of the processing and can meaningfully exercise their rights.
• Even secure systems fail compliance if their lawful basis is unclear.

Why your organization needs a data protection policy

A data protection policy is significant to ensure GDPR compliance.
It provides a clear, company-wide framework for how personal data are collected, processed, and safeguarded.

A good policy should include the following.

• Define the organization’s commitment to data protection and privacy.
• Identify who is responsible for compliance (Data Controller, Data Protection Officer, etc.).
• Explain lawful processing, retention, and sharing practices.
• Outline procedures for handling data subject requests.
• Specify data breach reporting and security measures.
• Reference key compliance tools (DMP, DPIA, and ROPA).

Your data protection policy should be reviewed annually, shared with all employees, and embedded into your organizational governance.

Core compliance tools and practices

1. Data management plan (DMP)

A DMP outlines how data is collected, stored, secured, used, and disposed of throughout their lifecycle.
It supports efficiency, clarity, and accountability.

An organization's DMP should include the following.

• Data categories collected.
• Purpose and legal basis for each dataset.
• Data storage systems and backup protocols.
• Access controls and permissions.
• Retention and disposal timelines.
• Security and encryption measures.
• Ownership and data stewardship responsibilities.

Having a DMP ensures your data is findable, accessible, interoperable, and reusable (FAIR) and compliant with GDPR’s accountability principle.

2. Privacy scan

A Privacy Scan is a quick internal audit to check if personal data is involved and whether a full DPIA is required. It helps flag privacy issues early before a project begins. You may use this template. 
 

3. Data protection impact assessment (DPIA)

A DPIA is a structured risk assessment for data-intensive or high-risk projects.
It’s required under Article 35 GDPR when processing is “likely to result in a high risk” to individuals’ rights.

When to conduct a DPIA?

• Using new technologies (AI, monitoring, profiling).
• Handling sensitive or large-scale personal data.
• Monitoring employee or customer behaviour.
• Merging datasets that may lead to re-identification.

Key steps to conduct a DPIA include the following.

1. Describe the processing and purpose.
2. Assess necessity and proportionality.
3. Identify potential privacy risks.
4. Define risk mitigation measures (encryption, pseudonymization, and access limits).
5. Review with your Data Protection Officer (DPO).

Keep DPIA documentation as evidence of compliance and risk management. Here is a sample DPIA template.

4. Record of processing activities (ROPA)

Maintaining a ROPA (as per Article 30 GDPR) is mandatory for many organizations.
It documents the following.

• The types of data processed.
• Purposes of processing.
• Categories of data subjects.
• Data retention and sharing practices.
• Security and safeguards in place.

The ROPA is your audit trail,  proving you know what data you hold, why, and how it is managed.

5. Security and access tools

To protect personal data, organizations should use the following tools and conduct the following activities.

• Encryption and pseudonymization tools.
• Secure cloud storage and institutional servers.
• Password and access management systems.
• Version control for data changes.
• Regular staff training on privacy awareness.

Here is a guide for preparing your ROPA and you may also refer to this template. 

Transparency and data subject rights

Importantly, transparency is central to GDPR compliance and trust-building. Data subjects (employees, customers, partners) have rights to the following.

• Access and obtain copies of their data.
• Correct inaccurate information.
• Request erasure (i.e., the right to be forgotten).
• Restrict or object to processing.
• Request portability of their data.

Your organization must provide easy-to-access contact points, privacy notices, and response procedures for these rights.

Accountability and documentation

Also, organizations must demonstrate accountability. Specifically, under Article 5(2), organizations must not only comply but be able to show compliance.
That means they must ensure the following.

• Keeping records of decisions, consents, and risk assessments.
• Documenting DMPs, DPIAs, and ROPAs.
• Conducting internal privacy audits and staff training.
• Ensuring third-party contracts (processors) include GDPR clauses.

Documentation demonstrates that your organization operates responsibly and transparently.

Building a GDPR mindset

GDPR compliance is not a one-off project; it is an iterative process.
To embed it successfully organizations should undertake the following activities.

• Plan before collecting any data.
• Collect minimally and store securely.
• Process lawfully and fairly.
• Review and update regularly.
• Document everything.

Notably, a proactive compliance culture reduces risk, protects reputation, and builds trust with clients and regulators alike.

Quick GDPR readiness checklist for organizations

Below in figure 2, we describe the steps organizations can take to achieve GDPR readiness. These include the following: a) having a data protection policy, b) differentiating between personal and non-personal data, c) identifying the data controller and processors, d) determine the legal grounds for processing, e) maintaining a data management plan, f) conducting regular privacy scans, g) apply GDPR principles to all data activities, h) implement security measures for data protection, i) conduct staff training and compliance audits,  and j) keep detailed records to ensure accountability. 

Figure 2 demonstrates the steps to achieve GDPR readiness.

GDPR compliance is far more than a legal obligation; it is a reflection of an organization’s integrity and its commitment to responsible data use. When companies handle personal data with transparency, fairness, and accountability, they build a level of trust that cannot be achieved through marketing or branding alone.

Achieving GDPR compliance also requires clear processes, documented responsibilities, robust security practices, and continuous awareness. The organizations that succeed are those that treat data protection as an everyday practice rather than a one-time project.

When your teams understand the rules, apply them consistently, and learn from the mistakes of others, GDPR compliance becomes structured, manageable, and ultimately a beneficial part of your operations.

For GDPR compliance assessment and advice, please feel free to reach out on LinkedIn. We would be happy to help at BoesK.