Today, we briefly and concisely discuss an overview of the Who - How - Where - What - When - Why of the General Data Protection Regulation. Below in the article, the interested reader can find additional information on the European Data Protection Regulation (1).

Data protection in the EU: GDPR


GDPR stands for the General (sometimes European) Data Protection Regulation. It is a regulation designed to give EU citizens stronger rights and better protection with regard to their data (2).

WHEN is the GDPR applicable?

From May 25th, 2018.
The General Data Protection Regulation came into effect on May 5th, 2016. More than two years later, national laws, such as the "Wet bescherming persoonsgegevens" (3) in the Netherlands for instance, will become obsolete and other regulations will only be applicable to a very limited extent.

WHY is the GDPR necessary?

Data processing (4) is becoming more and more digital and global. Existing country-specific laws regulating data protection were issued many years ago when the Internet was still at the very beginning of its development. Today, we need a regulation that is made for the digital world: cross-border and uniform. A regulation which regulates the rights of every EU citizen in the same way with regard to their data. Numerous recitals (5) have led to the creation of the GDPR.

WHO is affected and who must comply with the GDPR?

All EU citizens are "affected", meaning included, regardless of where they are. All companies which process  data (see 4) from EU citizens must comply with the regulation, regardless of where this is done.

HOW can the guidelines be followed?

Companies need to do everything they can to securely process data. For this, technology (6) (privacy by design and privacy by default) and know-how (7) are necessary.

... and HOW can this be checked?

High penalties (8) are designed to motivate companies to work hard to avoid data breaches. What is new is that they have 72 hours to bring violations to self-notification (9). The supervisory authorities and accredited bodies (10) carry out checks and investigate any complaints they may have. Companies must comply with their documentation and information obligations and provide appropriate evidence. This is controlled by the data protection officer of the company, now a required role. They have the task of informing their superiors and staff of deficiencies, making suggestions as to how things can be done better, and taking appropriate actions, e.g. by providing training for the staff or purchasing necessary hardware and software.

WHERE does the GDPR apply?

The regulation applies in the EU as soon as data from EU citizens are in the process of being processed, worldwide (11) and outside the EU for companies holding data on EU citizens.

  1. The EU General Data Protection Regulation can be abbreviated and circumscribed in various ways: GDPR, EU GDPR, General Data Protection Regulation, EU Data Protection Regulation, European Data Protection Regulation.

  2. The purpose of the GDPR is to protect personal data. This includes all data that enable the identification of a natural person. These include names, as well as data and identification numbers that might give away the identity of that natural person.

  3. "Wet bescherming persoonsgegevens" (WBP) regulates the handling of personal data in the Netherlands and protects the citizens' personality rights. It will be replaced by the EU Data Protection Regulation on May 25th, 2018. That is, in principle, EU law takes precedence over any national law. However, through opening clauses in the EU Regulation, the EU countries have the possibility to make national arrangements. The determination of the minimum age for effective informed consent of minors or for order data processing for instance.

  4. “‘processing’ means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” (Chapter 1 Art. 4)

  5. There are 173 recitals that led to the drafting of the EU regulation.  among others these are: Ensuring a high level of data protection despite the increased exchange of data (Recital 6),     Harmonisation of the powers and sanctions (recital 11), and, in particular, to ensure the security of the processing (recital 83):

    "In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage."

    The communication solution Cryptshare allows you to encrypt e-mails, their metadata, and attachments on the transport path, and during caching on the server. In this context, it also provides full transparency through the traceable logging of all activities.

  6. Companies must implement data protection by means of technical design and privacy-by-default ("Privacy-by-Design" and "Privacy-by-Default"). Article 25 of the Data Protection Directive sets out the framework for the way in which the requirements of the GDPR are to be implemented in process design and in presetting. By assigning e-mails to a classification level using Cryptshare's "protective e-mail classification", companies fulfill the need to classify data – in a simple and secure way. In doing so, the required privacy-by-design and privacy-by-default approaches are met. The feature is configurable by the administrator according to the GDPR and company compliance requirements. Depending on the configuration, the user can or must select a pre-set protection class before dispatch, in order to be able to send the mail. For certain messages the admin may leave it to the sender to assign a classification - it can then be sent "without classification", too. Depending on the selected classification, the system takes appropriate measures for the protection and identification of the data.

  7. Companies, authorities and public authorities must designate a data protection officer. A data protection officer is involved in all matters related to the protection of personal data. He teaches and advises his supervisors and the employees of his company with regard to the duties and standards which they have to meet according to GDPR and other data protection regulations. He supervises compliance, sensitizes, conducts or organizes trainings and evaluates them. The data protection officer also cooperates with the supervisory authorities. (Chapter 4, Section 4).

  8. Within 72 hours after the company has registered a breach of the regulation, they must notify their supervisory authority in charge, depending on the extent of the breach they must also inform their customers. A maximum penalty of 4% of the turnover worldwide or € 20 million - whichever is higher – might have to be paid. This is not only painful but might threaten the existence of companies.

  9. In order to prevent from self-notification the data protection officer is responsible, among other duties, to take all appropriate measures to create the conditions in the enterprise to comply with the Regulation. Therefore, internal strategies must be defined and measures must be taken, which in particular meet the principles of data protection by means of technology (data protection by design) and data protection-friendly pre-settings (data protection by default). In addition, citizens themselves will have the right to know what data the company processes about them. They may request that their data be corrected or completely deleted (right to be forgotten Chapter 3, Art. 17).

    They also have the right to receive their data "in a structured, standard, machine-readable format" in order to make it available to another company. The right to data portability Chapter 3, Art 20 also allows EU citizens to transfer their data directly from one company to another "as far as it is technically possible." Here, too, the software solution Cryptshare can help you to transfer digital data - no matter what size and file format – securely and easily.

  10. Local supervisory authorities carry out inspections. When it comes to cross-border processing, the new so-called "one-stop shop" procedure applies: that is, the authority at the head office of the main branch has a controlling responsibility. Companies no longer have to deal with supervisory authorities in several EU Member States, but have only one contact person (Article 56 DS-GMO). Monitoring of compliance with Regulations of conduct may also be carried out by a body accredited by the supervisory authority. The body must meet numerous criteria, including: It must have the appropriate expertise and be independent.

  11. The scope of the EU data protection law is considerably extended. In addition to the branch principle, the new market location principle also applies. (Article 3 (1) and (2)). In addition to data processing branches in the EU, companies that do not have their headquarter in the EU, but need to process data from EU citizens need to comply with the GDPR.


The European General Data Protection Regulation describes the rights of EU citizens with regard to the handling of their personal data and the obligations of data processing companies, regardless of where they are located. Now is the time for companies to make all the necessary arrangements and to make their (data processing) processes technically consistent with data protection, to train their employees in the handling of personal data and to provide them with the right conditions and tools.