The General Data Protection Regulation (GDPR) is the EU/EEA privacy regulation

It introduces a strict set of rules on how and why companies can collect and use personal data. The goal is to give individuals greater control over how data that can be associated with them is used, shared and stored.

The regulation aims to restore the balance between the interests of individuals and those who process personal data.

An important goal of the GDPR is to create an internal single digital market that safeguards the free flow of labour, capital, goods and services within the EEA and at the same time creates innovation and a good basis for digitalisation.

This will make it easier and safer to expand operations within the EEA, but also to increase competition. A customer relationship involves mutual trust between the customer and the supplier. The new regulations raise the awareness that individuals have ownership of their own data. Taking GDPR seriously is therefore also about building and maintaining the customer's trust.

ICONFIRM recommends that all businesses seek legal assistance from privacy experts to ensure proper alignment with the new regulations as the basis for processing personal data is unique to each business and needs to be considered separately.

Notified fines as of January 2020 (EUR)

FAQs for what is GDPR

Personal data is any information that can be directly or indirectly linked to a natural person

Any operation or series of operations performed with personal data(For example, collection, registration, storage, consultation, dissemination, compilation, deletion).

The principles of processing personal data

  • Processing of personal data must be linked to a legal basis and the person must be clearly informed about what information is processed, who is processing the data and what kind of rights does the person has ('Lawfull, fairness and transparency').
  • The information shall not be processed for purposes other than the specific, explicitly stated and legitimate purposes for which the information was collected. Archive purposes for the public interest, science or historical purposes as well as statistics are considered compatible purposes ('purpose limitation').
  • The information should be adequate, relevant and limited to what is necessary for the purposes for which it is being processed ('data minimization')
  • The information must be correct and up to date ('Accuracy').
  • When the purpose of the treatment is met, the information should be deleted ('storage limitation').
  • The information being processed must be secured, including protection against unauthorized access, dissemination, deletion or destruction ('integrity and confidentiality').
  • The controller is responsible for and must be able to demonstrate compliance with the principles

All processing of personal data must be based on a legal basis. The legal bases are:

  • Consent
  • Fulfilment of agreement
  • Legal obligation
  • Vital interests
  • Public interest
  • Legitimate interests

"He who is silent is taken to agree - NOT"

The conditions for obtaining valid consents are considerably stricter.

The business is now required to obtain valid consent BEFORE data processing takes place.

The consent must be freely given, specific, informed and unambiguous. What the customer agrees to must be easily recognizable, clear and not presented with other terms. Consents that do not meet these conditions are not valid.

A given consent may be withdrawn at any time. If consent is withdrawn, this shall not affect the legality of the treatment based on the consent before it was withdrawn. This must be stated before consent is given. It should be as easy to draw consent as it is to give it.

As individuals, our rights under the GDPR have become clearer and strengthened. Central to the incorporation of the GDPR is the right to be informed. The challenge for many is precisely the lack of understanding of what is actually happening with their information. The GDPR places very clear and comprehensive requirements on the duty of information.

  • The information that is presented must be in a simple and understandable language and it should be easy for individuals to be able to exercise their rights
  • The information to be provided
  • The identity and contact details of the data controller as well as data protection officer, if applicable
  • The purposes of the treatment and the legal basis
  • With whom data is shared, or et least categories of recipients
  • Whether or not data is being processed outside the EU/EEA, if yes, on what basis
  • How long the information will be stored
  • The right to access and rectification or deletion and the right to restrict or object to treatment
  • The right to withdraw consent (if applicable)
  • The right to complain to the supervisory authorities
  • If there is a statutory or contractual requirement to provide the information, the consequences must be disclosed if the information is not provided
  • In the case of automated decisions/profiling, the logic, as well as the meaning and the expected consequences, should be informed

GDPR applies to all businesses, regardless of size or industry. Personal information that is not legally processed is just as invasive to an individual, regardless of whether it is a voluntary organization, public sector or company size. The Data authorities may not have the capacity to follow up on smaller businesses, but in any case, compliance must be documented and this is especially relevant when larger companies and the public sector require their suppliers to demonstrate compliance. For those companies that cannot provide the right information, the risk is that they may lose customer deliveries, even if they have not had a data breach.

  • Much has been written about the potentially large fines of up to 4% of global sales, or EUR 20 million, whichever is the higher. But there are other consequences as well.
  • Complaints from individuals who perceive that processing of their information is incorrect.
  • Loss of b2b customers if satisfactory compliance documentation cannot be presented.
  • The business model foundations may lapse if the legal basis is not valid.
  • Required stop of processing and erasure of data.
  • Risk of claims for damages from individuals and possibly organized mass litigation.
  • GDPR is about following good business practice and being able to document this to the customers.

Sustainable business models must ensure and document the correct processing of personal data to avoid that the basis for operations - and thus large values - vanish.

Most business processes use data that can be directly or indirectly linked to a person, be they employee, customer or supplier. The use of such data is at the heart of digitization, innovation and business development regardless of the size and activity of the business. The Privacy Act places many stringent requirements, including that businesses must be able to demonstrate ongoing compliance. This is true across all systems and categories of people where data is getting processed - whether they are employees, customers or other people with whom the business is interacting.

In the event of incorrect processing, demands may be made to cease processing and deletion of data. This can affect the entire business model of the business. It is also possible that one company buys another based on data. The purpose of the processing may prove incompatible with the original purpose and the basis for the transaction may lapse.

It is also an example of whether incorrect or inadequate due diligence in an acquisition can have major subsequent consequences on the value of the business.

Don't lose your sleep

ICONFIRM is a digital tool that allows your business to demonstrate GDPR compliance in a simple and cost-effective way.

We offer a practical and user-friendly solution that puts the individual at the centre and helps our clients build trust

en_GBEnglish (UK)
nb_NONorsk bokmål en_GBEnglish (UK)