Collecting personal data while being GDPR compliant

Charli Bregnballe
5 min readMay 22, 2023

The General Data Protection Regulation (GDPR) is a framework for data protection and privacy for European Union (EU) individuals. It applies to the processing of the personal data of individuals in the EU, regardless of whether the processing takes place within the EU or not. The GDPR replaces the 1995 EU Data Protection Directive and has been in effect since May 25, 2018.

The GDPR sets out specific rights for individuals with regard to their personal data and imposes stringent requirements on businesses and organizations that collect, process, and store personal data. It also applies to organizations outside the EU that offer goods or services to individuals in the EU, or that monitor the behavior of individuals within the EU.

The main goals of the GDPR are to give individuals greater control over their personal data and to harmonize data protection regulations across the EU. It applies to a wide range of personal data, including names, addresses, and financial information, as well as sensitive data such as racial or ethnic origin, health data, and data related to criminal offenses.

One thing that may not be widely known about GDPR is that it applies not only to companies based in the EU but also to companies based outside of the EU if they process the personal data of EU individuals. This means that even if a company is based in the United States, for example, it must still comply with GDPR if it collects and processes the personal data of individuals in the EU.

Finally, GDPR includes provisions on data protection by design and by default, which requires companies to consider data protection at every stage of their operations and to implement appropriate measures to ensure the protection of personal data. This can include designing products and services with data protection in mind and setting default settings in a way that minimizes the collection and processing of personal data.

What is personal data in GDPR

Under the General Data Protection Regulation (GDPR), personal data is defined as any information relating to an identified or identifiable natural person. This includes information that can be used to directly or indirectly identify an individual, such as their name, address, and phone number. Personal data also includes any information that can be linked to an individual, such as their IP address, cookie data, and location data.

The GDPR applies to a wide range of personal data, including both personal and sensitive personal data. Sensitive personal data is a special category of personal data that requires additional protection under the GDPR. It includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, and data related to criminal offenses.

The GDPR applies to the processing of personal data by businesses and organizations that are based in the European Union (EU) or that offer goods or services to individuals in the EU, or that monitor the behavior of individuals within the EU. It also applies to the processing of personal data by businesses and organizations outside the EU if the personal data is related to the offering of goods or services to individuals in the EU or the monitoring of their behavior within the EU.

Understanding the users’ rights under GDPR

Under the GDPR, individuals have the right to:

  • Be informed about the collection and use of their personal data
  • Access their personal data and request copies
  • Have their personal data corrected or erased
  • Object to the processing of their personal data
  • Restrict the processing of their personal data
  • Have their personal data transferred to another organization (also known as the right to data portability)

Businesses and organizations that collect, process, and store personal data are required to:

  • Obtain explicit consent from individuals for the collection and processing of their personal data
  • Provide clear and concise information about how personal data will be used
  • Implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, or disclosure
  • Notify individuals and authorities of data breaches within 72 hours of becoming aware of the breach
  • Appoint a data protection officer (DPO) if they carry out large-scale processing of sensitive personal data or process personal data on a large scale
  • Violations of the GDPR can result in fines of up to 4% of a company’s annual global revenue or €20 million (whichever is greater).

Conditions for collecting personal data

Under the General Data Protection Regulation (GDPR), there are specific conditions that businesses and organizations must meet in order to collect personal data from individuals.

  1. Legal basis: The GDPR requires businesses and organizations to have a legal basis for collecting personal data. There are several legal bases that businesses and organizations can rely on, including consent, legitimate interest, and the performance of a contract. It is important to determine the appropriate legal basis for collecting personal data in a given context.
  2. Consent: If the legal basis for collecting personal data is consent, businesses and organizations must obtain explicit, freely given, specific, informed, and unambiguous consent from individuals. This means that individuals must be provided with clear and concise information about how their personal data will be used and must have the ability to withdraw their consent at any time.
  3. Necessity: Personal data must be collected for a specific, explicit, and legitimate purpose, and must not be collected in a way that is unnecessarily intrusive or excessive.
  4. Transparency: Businesses and organizations must provide individuals with clear and concise information about how their personal data will be collected, used, and shared. This includes information about the legal basis for the collection and processing of personal data, the purposes for which the personal data will be used, and the rights of individuals with regard to their personal data.
  5. Data minimization: Businesses and organizations must only collect the minimum amount of personal data necessary to achieve the specific purpose for which it is being collected.
  6. Data accuracy: Businesses and organizations must take reasonable steps to ensure that personal data is accurate and up-to-date.
  7. Data storage: Personal data must be stored in a secure manner, using appropriate technical and organizational measures to protect against unauthorized access, use, or disclosure.

Conclusion

These are just a few of the things to keep in mind when dealing with GDPR compliance. You do come a long way with a combination of common sense and privacy by design.

  • Obtain explicit consent from users before collecting their data
  • Provide clear and concise information about how their data will be used
  • Allow users to access, correct, or delete their data
  • Securely store and protect user data
  • Only collect the minimum amount of data necessary
  • Regularly review, update, and delete unnecessary data
  • Use privacy by design and default

--

--

Charli Bregnballe

Empathetic IT leader with a motivational and growth-focused mindset. Building exceptional teams and software through visionary leadership