Utsav Jaiswal


GDPR Decoded - Part 1: The Basics



GDPR is here and businesses are scrambling to find compliance and workarounds to stay in business. What was the most common form of targeting and retargeting users with advertisements catered to their tastes and supposed “profiles” is now under serious threat and businesses must either foment new ideas for marketing or close up shop.

A notable area of concern is the blockchain space that is again hamstrung by another ambiguous legislation.

Does data committed to the Blockchain constitute data processing as elucidated in the GDPR text? Presence of child-porn on the Bitcoin Blockchain could not shut down the Blockchain but this piece of legislation, considered the new-age of consumer rights, developed over years of deliberation and evolution poses a serious question to the crypto-community which is already reeling under the massive crackdown on ICOs, position of the US SEC, and most importantly, individuals and companies running scam ICOs.

So, let’s find out what GDPR is and how it is going to affect you as a business or as a consumer.

What is GDPR?

Regulation (EU) 2016/679, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.

In Simple English

GDPR, or, General Data Protection Regulation, is a new law made by the EU Parliament (thus applicable only to EU citizens, companies based there, or those “processing” data of EU citizens. The law states that it does not apply to the processing of personal data of deceased persons or of legal entities. Similarly, it is not applicable on activities conducted for non-commercial activities by an individual.

So no, if you’re a stalker, you do not need explicit consent to stalk your victim. There are criminal laws to take care of scum like you.

What is Personal Data?

Personal data is any information that relates to an identified or identifiable living individual. Separate pieces of data, which collected together and can lead to the identification of a user, also is personal data according to GDPR. The law protects personal data regardless of the technology used for processing that data — it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order).


In Simple English

When you buy flowers online on Valentine’s Day, your personal data is collected by the website to help serve you better. Just for the record, the website collects a log of your IP address, your order number, your home address, your name, your email address, and your choice of flowers. Out of these data, the ones which can be used to identify you need to comply with GDPR law, which means that you must have the right to ask for its deletion. For clarity, the data which fall under the category of Personal Data have been bolded.

Your choice of flowers, if stored in a separate database, something like an inventory, falls outside the purview of GDPR laws if your name and other personal data is not linked to it.

This means that personal data, which cannot be used to decipher the identity of the person involved is stored, the consumer cannot ask for its deletion. So, de-identified, pseudo-anonymised, and encrypted data which can be used to identify the person who provided it come under GDPR radar. Completely anonymised data such as hashes (which are irreversible) are exempt from GDPR compliance.

Fun-Fact: emails such as info@abc.com are exempt from GDPR compliance because they do not reveal the information of the person.

What is Data Processing?

Data Processing encompasses a wide range of operations performed on personal user data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.


According to the text, the General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.

In Simple English

If you collect, or perform any activity on personal data belonging to EU citizens for any purpose other than for non-commercial reasons, you are processing data according to the new GDPR regulation. From posting a photo of a person on a website to accessing documents during consultation, all come under GDPR gaze. Even if you shred a paper containing personal data, it is governed by GDPR. The most common examples that we are all familiar with are the promotional emails that we receive in our inboxes. This is the reason why we are receiving 100s of emails from companies we did not know of, seeking opt-ins.


The requirements for consent have been tightened, and companies can no longer use long illegible terms and conditions full of legal-speak, since the request for consent must be given in an intelligible, informed and easily accessible form, with the purpose for data processing attached to that consent.

In Simple English

Businesses can no longer work on implied consent and consent received by drowning it within the large and boring texts of licensing agreements such as EULA. Along with data collection, the use of data processing and its intended outcome shall be appended to the user data request form. Additionally, it must be as easy to terminate consent as it was to give it.​

What are the Penalties for Non-Compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

In Simple English

The maximum fines that can be slapped for breaching GDPR regulation is 4% of turnover or 20 Million euros, whichever is greater. These fines have two levels based on the severity of the violation. This regulation is equally applicable to controllers and processors of data.

This implies that data stored/processed in the cloud is also within the GDPR purview.


GDPR is a step in the right direction to prevent misuse of user data which can appear harmless on the outside but be potent enough to swing elections and people sentiments. This new regulation also emphasises the growing importance of supranational entities and come as a refreshing surprise in light of the nationalistic streak that coloured the political narrative for the past two years.

Let me know what you think about this in the comments section below. All views are welcome.

Follow me on Twitter and LinkedIn to never miss a story by me.

More by Utsav Jaiswal

Topics of interest

More Related Stories