Everything You Wanted to Know about GDPR (But Were Afraid to Ask)

Written By: Cudy

23rd April 2023

Everything You Wanted to Know about GDPR (But Were Afraid to Ask)

This is a quick introduction to the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018. The new regulation replaces the current Data Protection Act 1998.

It affects any organization that processes personal data about individuals or offers goods or services to them.

Why Does GDPR Matter?

Under the current Data Protection Act, fines for non-compliance can be up to £500,000. The maximum fine under GDPR will be €20 million (£17 million) or 4% of global turnover, whichever is greater.

In addition, they can fine organizations up to €10 million (£8.8 million) or 2% of global turnover for not having their records in order (for example, failing to keep proper employee records).

grayscale photo of person using MacBook
Photo by Sergey Zolkin on Unsplash.

What Has Changed?

GDPR sets out several key changes that make it easier for businesses and organizations to comply with data protection laws and principles:

The GDPR will replace the Data Protection Act 1998. It applies to all companies processing the personal data of EU citizens, regardless of where the company is based.

GDPR is technology-neutral. This means that it will apply to any business that uses technology, from apps and websites to CCTV systems and databases.

GDPR clarifies that data protection laws apply not just to ‘personal data' but also to ‘special' categories of data, such as genetic or biometric data.

It also clarifies the definition of ‘sensitive personal data’, which can be about criminal offenses or convictions.

For example, names and addresses are likely to be sensitive personal data because they can identify an individual.

Rules Relating to Children Under 16-Year-Old

As well as being more explicit about the definition of sensitive personal data, GDPR has strengthened provisions relating to children under 16 years old, particularly about online services such as social media platforms and online games.

In addition, it sets out stricter rules on consent for processing special categories of personal data or sensitive personal data. These rules include:

  • Individuals must give unambiguous consent before organizations can process their sensitive personal information (for example, ticking a box). This includes information relating to criminal convictions and offenses.
  • The organization must clarify what the individual is consenting to, for example, whether they are consenting to market materials or an app.
  • Individuals must be able to withdraw their consent at any time.
  • Wherever possible, the organization should use ‘granular’ opt-in consent mechanisms (for example, asking people to tick a box if they want to receive marketing materials from the organization).
  • Where it is not possible to use granular opt-in, then organizations must explain why it is not possible in their privacy notice. For example, they may need to provide an ‘opt-out’ option for those who do not want their data processed for marketing. They must also explain how individuals can withdraw their consent at any time.

Getting Consent from Individuals

The GDPR will introduce more stringent rules on obtaining consent from individuals before processing their personal data. In particular:

  • It will clarify that consent must be freely given, specific, informed, and unambiguous. They cannot assume it from silence, pre-ticked boxes, or inactivity.
  • It will also require organizations to keep evidence of consent (for example, by asking individuals to sign a form).

The GDPR is likely to have a significant impact on how organizations interact with their customers and business partners.

For example, if an organization has an app that requires location data for the app to work, then it may need to get explicit consent from users before collecting and using this data.

The same would apply if an organization wanted to send marketing materials via email or SMS text messages.

Organizations must get clear consent from individuals before collecting any sensitive personal data or special categories of personal data (such as criminal convictions).

They must also make sure that the individual understands what they are consenting to (for example whether they are agreeing to receive marketing materials).

person using laptop
Photo by Thomas Lefebvre on Unsplash.

Transparency about Information Usage

Organisations must provide transparent information about why they need the information and how it will be used. This includes:

  • The organizations that might use the data (for example, direct marketing companies or debt collection agencies). The type of processing that will take place (for example, using the data to send marketing materials or to conduct a credit check).
  • Individuals must be able to withdraw their consent.

The Right to be 'Forgotten'

The GDPR introduces a ‘right to be forgotten'. This gives individuals the right to have their personal data deleted in certain circumstances, for example, if it is no longer necessary for the purpose it was collected.

The GDPR also clarifies that individuals may ask an organization to transfer their personal data from one service provider to another.

Organizations must have a lawful basis for processing personal data. The most common lawful basis is ‘consent’, but there are other grounds for processing too, such as ‘contract’ and ‘legitimate interests. Organizations will need to make sure they have evidence of consent before collecting and using personal data, such as

  • Recording how and when individuals gave consent.
  • Where appropriate, keep evidence of consent in an accessible format (for example, by asking people to sign a form).
  • Organizations must keep accurate records of all personal data they hold. They must also make sure that the records are easily accessible and readable.

This will help them identify any personal data that they no longer need to process, or that is incorrect.

Read similar articles about Privacy Policy and other related internet security articles on the Cudy Blog page!

Written by


Cudy is an online marketplace for real-time learning where students can achieve mastery over their subjects by learning live from educators who are passionate about providing the best learning experience for their students.

More stories

Key LMS Challenges: A Practical Guide For School Leaders
This article will examine the top key challenges that arise when managing an LMS and what steps school leaders can take to overcome these challenges. The challenges range from issues with the LMS itself to working with staff and students. This article has been published on eLearning Industry The Right Way To Overcome LMS Challenges […]


24th April 2023

Why Blended Learning Is Not For Everyone
Blended learning is a teaching method that combines elements of traditional educational settings with elements of online courses. However, it is not for everyone. This article will provide an overview of the concept of blended learning, how it works, and who it works for. This article was first published on eLearning Industry. The Concept Of […]


24th April 2023

How Can I Learn Japanese If There Are No Tutors in My Area?
eLearning is one of the most exciting trends in the field of education. The eLearning market is growing at a swift pace, which has led to many predictions. This article attempts to unravel some of the trends surrounding eLearning and make it easier for one to predict the future of eLearning. This article was first […]


24th April 2023

LMS Vs. eLearning Platform: The Key Differences
Learning Management Systems (LMS) and eLearning platforms are much alike in terms of the basic concept of providing a learning environment to learners, but they differ in some key aspects. This article discusses the differences between these two and finds out which one is better suited for you. This article has been published on eLearning […]


24th April 2023

Subscribe to our blog