How to explain GDPR to a “GDPR Virgin”

As shocking as it may sound, most people that you encounter on the street, or even in your office, have little or no knowledge of GDPR. Even most people I meet (for example, Stockholm Start-up people, professional and university graduates living and working in service industries in Europe), have never heard of GDPR. As someone that recently started working at a company that develops software to help companies with GDPR compliance, I often find myself struggling to explain GDPR in simple terms.

Given the vast amount of information available, one can easily feel overwhelmed or confused. At times, a simple question can easily lead you down a rabbit hole of complex legal jargon, the data breaches, or alarmist warnings about the hefty fines for non-compliance.

I have therefore prepared two GDPR summaries that I hope will come handy at your next encounter with a GDPR virgin: 
1) An Executive Summary; and 
2) GDPR ELI5 (Explain it Like I’m 5 years old), figuratively speaking.

1) Executive Summary to GDPR:

Good for: Conversations with professionals and executives / Not good for: Details, Individual that don’t really care about business.

What is the Purpose of GDPR?: GDPR is a European regulation aimed at protecting individuals’ right to privacy and control of their own data. This covers all EU countries, companies dealing with these countries and information about any EU resident, regardless of where the company or entity may be.

What is its Scope?: Any company that comes into contact with personal data of EU residents MUST ensure they comply with the GDPR or they run the risk of heavy fines.This also applies to any business processing data on behalf of other businesses.

It is also important to understand that GDPR regulates PERSONAL DATA only. This means any complete or partial data set (piece of data) that can be attributed to a particular person.

What it mean for companies and use of Personal Data:
GDPR does NOT mean that collecting, processing or using private data will become illegal or impractical. It only means that companies must be responsible at all times for the personal data they come into contact with. (Notice I didn’t say store, collect or process, but “come into contact”.)

Some examples of the things companies are expected to know about personal data:

  • Where it came from
  • How consent was obtained
  • The Legal basis for using the data
  • Why you need to hold this data (what purpose does it meet).

Companies that have been hoarding private data, expecting to use it in a not-so-distant future, will be expected to undergo a data cleanse.

When it comes to personal data, GDPR expects companies to either “use it or lose it.”

In other words, you will need a reason why you are collecting or processing specific data, and that you are not using more than needed to meet that end.

How will the relationship between companies and customers change:

Fundamental for GDPR compliance is establishing a clear communication with your customers or clients (i.e. data subjects), so that they can give clear consent for you to use their data.

Customers must consciously and explicitly sign-up to your services. This also limits companies from using complicated and difficult terms and conditions.

So no more automatic opt-ins.

Remember: With GDPR, individuals have the right to restrict or stop your processing of their data.

Companies must be hyper organized when it comes to personal data and be transparent with their data subjects about how they process the data.


Good for: Basic understanding the reason behind the EU’s motivation and individual’s perspective / Not good for: Details or company perspective.

Every time you do anything online, chances are, someone is watching. Companies want to see what you do, so that they can learn from it and use this information to show you ads and commercials that they know you will like. The more information they get from you, the better they match their ads to your profile.

You might not know it, but some of these companies are able to collect extremely personal and secret data that you might not want others to know. This could be anything from private web-search history (for example, if you ever googled “How do I know if I am…”), record the websites you visit (even those pages you clicked by mistake ;) ), or even your private personal data like bank account details and personal ID numbers.

It has become more and more frequent for hackers and criminal organisations to gain access to your personal information and in turn, use it to blackmail you, or to even copy your identity and/or steal your money.

The European Union (EU) sees this as a violation of the individual’s right to keep your identity private (Art. 8 or the European Convention on Human Rights) . To protect individuals residing within its borders, the EU created the General Data Protection Regulation (GDPR).

The GDPR are rules for companies that collect, use or even have access to someone’s private data. The rules clearly give anyone living in the EU control over who can use their data, know what data these companies hold and in some specific cases, request the deletion of their data.

Companies must always have a legal basis for treating the data (Consent, being one of several types of legal basis). Individuals can also ask companies for a detailed report on what personal information they have, why they have it, and who else have they shared this information with.

Companies are also obliged to inform the individual whenever their information has been hacked or even when they need to share your personal with an external company, outside their own control. In this way, the individual can control that their data is dealt with responsibly.

The consumer can also request any company to stop the processing of their personal data, at any moment even if they had earlier agreed.

Individuals will finally have control of their private data, and companies must respect their wishes. Even companies located outside the EU that deal with the personal data of anyone residing within the EU, are also ruled by the GDPR.

Companies that do not abide by the rules set out by the GDPR, risk large fines.

With the introduction of the GDPR, the EU hopes that your personal data will be more secure, companies will be more transparent, and people will feel safer using the internet.

I hope these summaries are helpful. You can certainly add examples (or pick bits of arguments from both summaries the next time you need to explain GDPR. I hope that by the time this regulation comes into force on May 25, 2018, everyone in Europe (and the entire world) would have heard of GDPR.

In the coming months, I plan to write more about GDPR. Let me know if there are any specific topics within the GDPR that you would like me to address.