Close Icon
Home / Blog / Business Compliance / Understanding GDPR (General Data Protection Regulation)

What is GDPR (General Data Protection Regulation)

GDPR was created by the European Union to be a privacy law, regulating how personal data is stored, processed and used in the EU. This could be data that is able to identify a person on its own or data that could be combined with other data to identify a person.

The Importance of GDPR compliance for businesses

Whilst the implications of not being compliant with GDPR can be fines or prison time, the importance of being compliant goes much deeper than this. Businesses should be taking good care of the data that they are able to take from their customers, clients and even their own employees.

Failure to do this could mean that they are not trusted, which can then mean that they are not able to be as successful, simply because no one feels that their data and information are safe with them.

Core principles of GDPR

There are several core principles that apply to GDPR. The main ones are that the data that has been obtained by the company is lawful and that the person to whom the data relates has given consent for it to be taken, stored and used.

It is also vital within GDPR that any data that is held is stored in a way that is going to keep he data safe and protected from any possible threat or security breach.

Lawfulness, fairness, and transparency

This aspect of GDPR means that you must not obtain, process or store data in a way that is misleading, unexpected or that is detrimental to the person that the data relates to. You also must be open and honest regarding the data that you hold and be able to be clear about how it is stored and used.

Purpose limitation

When you are obtaining data you must make sure that you are clear and open about why you want to obtain that data and what you intend to do with it if the person gives permission and consent for you to do this.

Data minimization

Even when someone has given their permission for their data to be collected, used and stored, there is still a need for you to try and minimise the amount of data that you then take from them. Within GDPR you should only take data that you need and that is relevant to what you do.

Image of data for Learn Q Understanding GDPR (General Data Protection Regulation) blog


When you hold data for someone within GDPR you need to ensure that the data that you hold is as accurate as possible. If you believe that it is not accurate, or that something within the data has changed, then you need to then reflect this with the data that you hold.

Storage limitation

Not only do you need to ensure that you only collect data that is consented to within GDPR, but, you also need to recognise the storage limitations too. You can only keep data for as long as you need it. There are specific time limits that are set within the UK GDPR, but you do need to be able to identify whether or not the data that you have is still needed.

Integrity and confidentiality

When you hold data for people, you need to ensure that you treat it with both integrity and confidentiality. This means that you are only using the data for the purpose that it has been collected and processed. You also need to make sure that you treat the data confidentially and that only those who require access are able to access the data.

Data subject rights

Much of the GDPR covers data subject rights. These are the rights of the person who has had their data collected. They have a variety of rights, so much so that GDPR has a chapter dedicated to this.

Right to be informed

The person who is having their data collected has the right to know what data is being collected, how it is then being used and how long it will be kept. They also have the right to be informed if any third parties are going to have access to their data.

They should be informed in a way that is clear and that they can understand.

Right of access

The right of access means that a person has the right to request a copy of the personal data that is held on them. They can request this directly from the organisation and this should be provided to them within one month. This is unless their request has been found to be excessive, repetitive or unfounded.

Image of lady on laptop for Learn Q Understanding GDPR (General Data Protection Regulation) blog

Right to rectification

If the person finds that the data that is held on them is not accurate or is incomplete, then they can ask that this be updated to be accurate.

Right to erasure

The person has the right to ask that their data be erased. This could be if it is no longer needed if it has been unlawfully obtained, or if it no longer meets the lawful ground that applied when it was first collected.

This is often known as the right to be forgotten.

Right to restrict processing

A person can restrict the way that their data is used. They may not want their data fully deleted, but they want to make sure that it is only used in a way that they consent to within the organisation.

Right to data portability

A person can obtain and reuse their data for their own purposes across different services if they have consented to their data being collected and used.

Right to object

A person can object to their data being processed. The organisation should then stop processing the information, however, they can provide legitimate grounds for the processing, but these must then override the rights of the individual.

Data Protection Officer (DPO) role and responsibilities

A key part of GDPR is that a business must appoint a DPO within their workplace. They are there to ensure that the business is compliant internally and that they are aware of the obligations of that business within GDPR.

They are responsible for not only understanding the rules that relate to GDPR but ensuring that they can provide advice and guidance to the business owners to make sure that they are within them and acting on the right side of the law.

GDPR Training

The GDPR Awareness course is an essential programme designed to equip individuals and organisations with the knowledge and understanding required to navigate the complexities of GDPR compliance. With the potential for significant fines reaching up to £18 million or four per cent of annual turnover for non-compliance, the importance of this training cannot be overstated. It is particularly crucial for those who handle customer data and are responsible for ensuring GDPR -compliant processes within their organisations.

The course covers a comprehensive range of topics, starting with an overview of the legislation itself, to help participants understand the legal framework and its implications. It delves into the definition of personal data, clarifying what constitutes personal data under GDPR. The course also outlines who GDPR applies to, ensuring participants can identify if and how GDPR affects their organisation. A key component of the course is the detailed exploration of the seven fundamental principles of GDPR, which form the backbone of compliance efforts.

Furthermore, the course provides insights into what constitutes a lawful basis for processing personal data, a critical aspect of GDPR compliance. Participants will learn about the rights individuals have under GDPR, empowering them to handle data requests and concerns appropriately. The concept of GDPR security is another vital topic covered, highlighting the importance of safeguarding personal data against breaches and unauthorised access. To complement the core content, the course offers additional guidance on GDPR, providing participants with a well-rounded understanding of how to implement and maintain GDPR-compliant practices within their organisations.

If you haven’t already got it, one way to ensure yourself and your colleagues are compliant is to take a GDPR Awareness Course.

You can save even more by completing one of our money saving bundles, which save you at least 50% and include other useful courses that you are likely to need:

Contact Form Learn Q page image

Got a question?

Get in contact and we will
get back to you

Contact Us

Related Courses

Browse Learn Q Courses

Related Articles

Browse Learn Q Blog


For those who want to work in data protection as well as privacy, the Practitioner Certificate in Data Protection is considered to be the best practical qualification. This is because it covers all of the information and data that relates to the requirements of the General Data Protection Regulation (GDPR)

Data protection is hugely important and that is the reason why GDPR training is mandatory. AS part of the GDPR, as well as the UK Privacy Act 2018 and many other regulations, it is mandatory that employees undergo GDPR training. Employers are now obliged to ensure that the right training is delivered to staff and that all results of the training is recorded accordings. This will ensure that employees are aware of the risks and issues that are link with data protection while it will also help to ensure you remain compliant.

  • General Data Protection Regulation (GDPR) for Individuals
  • Certified EU General Data Protection Regulation (EU GDPR) Foundation And Practitioner
  • Introduction to Data Protection and the GDPR
  • Data Protection (GDPR) Foundation Certificate
  • GDPR and Data Protection Act 2018 Staff Awareness E-learning Course
  • GDPR Training Course
  • Certified GDPR Foundation Training Course
  • GDPR Training
  • Certified GDPR Practitioner Training Course
  • Data Protection Impact Assessment (DPIA) Training Workshop

No, it is not possible for a CEO to be a data protection officer. This is because it would create a conflict of interest. This is also the same for those who have a role in ICT which you would think is the natural place within an organisation to place the role. However, they would have a duel role that involves governing data and so, this would also be considered a conflict of interest.

In the UK, the national average salary that a data protection office will earn is around £47,000.

It is especially important to make sure that GDPR training takes place regularly, as a result, it follows many other regulations which means that training has to take place on an annual basis. This will ensure that you are able to access refresher training which will keep you up to speed with the regulation as well as aware of any changes that might have been made.

Data is now becoming more widespread in every day life and because of the risks associated with sharing and storing data, it is more important than ever to ensure that it is managed correctly. With this in mind, the data protection industry is one that is going to evolve over the coming years as it aims to keep up to speed with the risks associated with data. Therefore, this is a rewarding career that is fast-paced, well paid and it also gives you the chance to discover new opportunities too.

LearnHub is currently undergoing essential maintenance. We apologise for any inconvenience caused. Please bear with us as we work to enhance your learning experience.

Thank you Learn Q