Simrin Kapoor
15 min readDec 10, 2020


What Is GDPR? A Brief Insight About General Data Protection Regulation

What is GDPR? A brief insight about General Data Protection Regulation

Simrin Kapoor,

A final year law student who has done BCom honors from the University Of Lucknow, (MGCPS) collage, She is a content writer, social media coach, Editor, and a Life Coach. She has also worked with loveactuallyMe which is a social platform to bring equality between abled and disabled. She is open to any opportunity that comes her way. She is a bookstagarmmer and loves to recommend books to book lovers. GDPR in relation to European Union – A brief insight about GDPR is written by her. You can reach her out on – @reading_gives_value.

Table of Contents
Introduction to GDPR
During the past years, many developments occurred in the EU(European Union) under the 1995 EU Data Protection Directive in the reform of the EU data protection law framework.[1] This article throws light on recent data protection reform of the European Union. The new framework consists of the General Data Protection Regulation (GDPR) which will replace the current Data Protection Directive.

It came into force in May 2016 and will become applicable law in May 2018[2]. This reform aims at modernizing and harmonizing data protection across the EU and is an essential element in Digital Single Market Strategy that the EU launched in parallel and whose far-reaching consequences will unfold in the years to come.

The main purpose is to highlight the key changes that the new GDPR brings about. We analyze in the wide context of the digital economy. [3] GDPR (General Data Protection Rules) applies to all businesses in the EU, including the UK. If a company/individual/Firm is outside EU and that collects personal data from residents of the EU then it that case you will be considered as a “controller” under the GDPR. If in any case, you process the personal data on behalf of a controller, you will be considered as a “processor” and will also need to comply with the GDPR.[4]

GDPR applies to Indian firms that monitor the behavior of European Citizens. If you are providing your goods and services in the EU then it is mandatory to comply with the GDPR regulations. The Indian business that is in data protection and cybersecurity has a larger impact on GDPR regulations in productivity and customer confidence.

When we look into the Indian government response towards imbibing the global security issues in that issue in need to mention about the 14th India-EU Summit held last year in 2017 October between “Prime Minister Narendra Modi”, European Council President Donald Tusk and European Commission President Jean Claude Juncker she said both the sides have achieved considerable progress in many areas of their cooperation. In the summit, both agreed to Cooperate in the fight against terrorism while deciding to resume talks on a free trade agreement. Hence, the EU is India’s largest trading partner, the 28- nation bloc is one of the largest investors in India.[5]

The Srikrishna Committee on November 27, 2017, released a white Paper law to prepare a data protection framework it includes the questionnaire for stakeholders on certain issues. These issues revolve around topics such as Aadhar, data Protection, Privacy.

The main purpose of white paper law is to get comments and perspectives on a variety of issues pertaining to data protection and privacy.

This is the first time India has taken a step towards the implementation of a specific data protection law, which looks at the aspects such as data sovereignty, data retention, and responsibilities of government.

With the growing economy and new challenges of startups in our country in some or another form, it is the duty of the government of India to protect the privacy of the citizens and their business as well.[6]

White Paper Law came into existence as earlier we saw that separate countries were having their own data privacy laws and it was difficult to evaluate that which data protection of data will be valid in some other jurisdiction. For example: If a company in India has a registered office in the US then it will be difficult for the Data Protection Officer (DPO) to examine.

Why GDPR came into force?
The EU directive on Data Protection has come into being since 1995. It is important to stress at the outset that the Right to privacy is a key concept in EU laws and has been given a significant weight that reflects deep and cultural values. When we look upon the council of Europe’s European Convention on human rights, which protects the right to privacy in Article 8, of Charter of Fundamental Rights Of The European Union (CFREU).The Data Protection Directive forms an important part of an ongoing project on the EU[7].

An important, albeit not directly related was the revelation made in 2013 by Edward Snowden that exposed the breadth and depth of surveillance by the US National Agency (NSA), which involved access to data of millions of private users, like Google, Apple, Facebook, etc.

There are several decisions of the Court Of Justice Of the European Union (CJEU) which brought important changes in the existing legal practice, as well as an understanding of the individual’s right to protection on the Internet in Europe.

The first case by was Google Spain this case has become well known and misleading under the label of “the right to be forgotten”. This refers to a judgment of the CJEU in 2014 against Google Spain and Google Inc[8], based on a preliminary ruling initiated by a Spanish Court.[9]

In the above case, the actual lawsuit was by a plaintiff whose name, Mario Costeja Gonzalea. He sought a court order that would prohibit the goggle search engine from displaying a link to a newspaper article published in 1998 when his name was searched.

The CJEU classified google as a “controller” because it’s finding, indexing, and storing was “processing of personal data” as been defined in directives. The Google Spain case has had serious consequences for search engines and for the role of in more general terms [10].

The second case is another decision of CJEU of 2014 that declared directives 2006/24/EC on data retention invalid. [11]The Data Retention Directive which was politically inspired by he terrorist attempts in Madrid in 2004 and in London 2005 sought to harmonize Member States law and required the retention of data from fixed for at least 6 months possibly up to 2 years. These controversies came to an end with the CJEU’s judgment in Digital Rights Ireland.[12] Digital Rights Ireland is also exposed to the importance of grassroots civil society organizations and citizen movements on a regulatory framework for digital privacy.[13]

The third case that changed in many senses the legal situation which amendments are applicable was the schemes judgments of October 6, 2015.[14] In the above case, Maximillian Schrems is an Austrian citizen who filed a suit against the Irish supervisory authority ( data protection commissioner) after it rejected his complaint about the Facebook practice of storing user data in the united states. [15]The plaintiff claimed that his data was not adequately protected in the light of the recent NASA revelations, despite the existing agreement between the EU and the United States.

In Schrems, the CJEU made at least two findings that were crucial for the EU’s data protection practice and its transatlantic dimension. The Luxembourg court held that the existence of a Commission decision finding that the third country.

What is GDPR? A brief insight about General Data Protection Regulation
It is seen that in all the above cases it is been observed that GDPR is important as it makes a business more efficient, secure, and competitive. Some of the advantages are:

Enhance Your Cyber Security: There is no company in the world that can afford to take the risk of cybersecurity ignorance, given the cost of data breaches caused by theft or loss of critical data. The legislation requires organizations to identify their security strategy and adopt adequate administrative measures to protect EU citizen’s personal data.
Improve Data Management: To be compliant, you should know precisely what sensitive information you hold on people. Firstly, you will be able to detect and get rid of redundant, obsolete, and trivial (ROT) files that your organization retains, though they don’t have business value. Secondly, after you analyze all data you have, you can implement mechanisms for fulfilling another GDPR requirement- making data globally searchable and indexed.
Increase Marketing Return On Investment (ROI): One of the key principals of the GDPR is that the organization should implement an opt-in-policy and have data subjects consent to process their personal data.
Boost Audience Loyalty And Trust: GDPR compliance can support your business in helping you build more trusting relationships with your customers and the public generally. Thus, you can use the GDPR to underline that you do care about the privacy of your current and prospective customers and stand head and shoulders above your competitors.
The First To Establish A New Business Culture: There is nothing new business being animal- friendly, eco- friendly, LGBT- friendly. Why not become human privacy-friendly?
When no one denies that complying with the GDPR is hard, a wise leader takes this challenge as something more important than just doing the bare minimum to comply. It is time to look forward to the benefits that may give your organization the competitive differentiation it needs to succeed and be among the first to implement a new business culture that cherishes human privacy. The GDPR is your opportunity to excel.

Is the European Union beyond what it should be?
Yes, the European Union is beyond as the new GDPR law states that the aim of GDPR is to protect all EU citizens from privacy and data breach in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.

Many changes have been proposed to the regulatory policies, the key points of GDPR as well as information on the impact it will have on business can be found below.

Many non-EU financial services firms have determined that the GDPR doesn’t apply to them with a limited understanding of the regulation. Indian companies are likely to face increased compliance costs on the back of GDPR or risk huge penalties if they fail to comply. But they could not see it as a business opportunity. Moreover, following the Supreme Court’s verdict, a data protection framework has been proposed by the Srikrishna Committee in India.

India’s largest business process management firm Genpact, which is listed on the New York Stock Exchange, identified “GDPR as a risk” in a filing with the US Securities and Exchange Commission. As per industry estimates, only one-third of Indian companies are prepared for the change.

Some large software service providers have already taken GDPR as an opportunity to help their clients through the transition. Microsoft is a case in point. Anant Maheshwari, president of Microsoft India, said the company began its process nearly two years ago to be compliant with the new law” All the IT sector companies that are globally known like HCL, Infosys, Tata Consultancy Services (TCS), Wipro.

HCL Technologies have more than 110,000 people in 32 countries; it also works with leading technology companies including Microsoft, Cisco, and Google. It also provides IT services to companies in the financial sector and Fin-Tech Startups.

Zomato is a restaurant search and discovery service founded in 2008 by Deepinder Goyal and Pankaj Chaddah which operates currently in 23 countries including Australia and the United States and is served worldwide.

On 4th June 2015, an Indian security researcher hacked the zomato website, gained access to information about 62.5 million users. Using the access he was able to access the personal data. This issue was fixed in 24 hours of it becoming

Data Localization
The EU’s General Data Protection Regulation (GDPR) which has been enforced by many twist and turns. One of the most significant parts of the law is data localization. Data Localization refers to the law requiring certain customer data to remain within the borders of a particular region or country.[16] If an organization has even the slightest doubt about a particular destination the data cannot travel there. With the cost of non-compliance so high, many enterprises will refuse to gamble and opt to play it safe, by ensuring their customer data stays within the EU or even within the country of origin.[17]

Data localization will dramatically impact multinational companies (including many based in the US). In light of GDPR, we anticipate major changes like major cloud service providers have already begun massive infrastructure builds out across the EU.[18]

The degree of data localization measures worldwide has increased dramatically, most drastically since 2010. According to the United States International Trade Commission (USITC) it measures laws that are specific laws pertaining to the flow of data have forced companies to leave specific markets.[19]

There are examples of China being a global leader as china the data is processed locally. This data protection law allows china to restrict market access for cloud computing if the required data localization requirement is not met. There is another example of Russia’s strict data localization policies also impact business decisions. Twitter has considered whether to store user data in Russia to comply with the new laws. It was reported that Twitter has agreed to transfer data on Russian citizens to a facility within Russian borders. While Russia passed the law in 2014 it has been in the law considering if to comply with the law. It is been seen that google and apple have complied with the law but facebook and apply have not.[20]

Germany established its own data localization law in 2001, stipulating the data generated on physical media located Greece must be stored on Greek territory. Germany established is own data localization laws, with slight deviations from the GDPR. If data is meant for further processing, it does not have o come under the same regulations.[21]

Germany also requires any company with at least ten employees to have a data protection officer, although the GDPR only stipulates the need for one in exceptional circumstances.[22]

GDPR- Main concepts and requirements
The GDPR enhances the data protection rights of EU data subjects. In general, firms will need to provide easier access to personal data with clear understandable information on their processing, use, and storage[23]:

Data Protection Impact Assessment (DPIA): DPIA is required for all process operations of an organization. DPIA should be used as tools that can help the organizations to identify the most effective way to comply with the data protection obligations and to meet individuals’ expectations and privacy.
Data Privacy Accountabilities: The GDPR attempts to define what privacy accountability means in practice through requirements around proactive monitoring and personal data records. Each organization has to understand the principals of lawfulness, fairness, and transparency, etc.
Conditions for processing: The processing of personal data is only lawful if it is permitted by the GDPR and has proper consent. If the controller does not have a legitimate reason for a given data processing activity, then that activity is not allowed. It includes individual consent, contractual necessity, or public interest.
Data Protection Officer (DPO): Firms that establish they conduct large scale systematic monitoring of EU residents data or process large amounts of sensitive personal information to appoint a DPO. The regulation calls for the DPO to report the “highest management level” which EU guidance suggests onboard.
Privacy by Design (PBD): it is the practice of establishing and implementing privacy controls and principles into business processes and systems as they are being developed and build, rather than layering on control after deployment. Under the GDPR organizations will now be required to design policies, procedures, and systems that follow PBD principals at the outset of every development.
Right to erasure: The right to ensure enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This right creates significant data retention challenges for the firm.
Individuals have the right to have personal data erased and to prevent future processing: Individuals have the right to protect the data in such a manner as to use it for future purposes. It is stated that the area of content is quite precise.
Consent and notification: The consent of the Data protection officer is important to know about the theory of the specified areas.
Data Portability: The data portability works in the same clause as to deal with the right area of work. It is an essential part of the GDPR regulation.
Application of GDPR laws: is sufficient or overbearing?
There has been a slow response by the many non- EU financial services to address GDPR. It is difficult to determine what account for this general lack of action. Some firms may have seen a May 18 implementation data and determined there is amply to act.[24]

There are 3 lines across the firm where the GDPR is most affected:

First-line (Business lines and technology): GDPR affects Business lines, Operation, Technology Security and data, Customer relationship Management (CRM), Innovation and Marketing, Procurement and Contract Management, and Human Resources ( HR), training, and Communication.
The second line of defense: Third-Party Risk Management(TPRM), Surveillance and Monitoring, Compliance, Privacy and Security, Risk Management
Third line: Internal Audit: Internal audit will need to adopt to consider the GDPR within the no of audits in compliance monitoring programs, Reviews of access processes and procedures, overall privacy framework validation.
By looking at the areas where the GDPR affects the most it is been seen that is sufficient but for some organizations. GDPR is also not accepted by all as it leads to the high cost and not companies are willing to pay so much on data protection. It is to be seen that the various areas will lead to larger jurisdictions of other areas where data are protected.

Fine for not complying GDPR
There will be two-level of fines based on GDPR. The first is up to $10 million or 2% of the company’s Global Annual Turnover of the previous financial year, whichever is higher.

The second is up to $20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the regulation.

The parliament had requested fines to reach $100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached.

Fines for infringements will be considered on a case by case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.

This includes infringement relating to:

Integrating data protection ‘by design and by default’
Records of processing activities
Cooperation with the supervising authority
Security of processing data
Notification of a personal data breach to the supervisory authority
Communication of a personal data breach to the data subject
Data Protection Impact Assessment
Prior Consultation
Designation, position or task of the Data Protection Officer
When deciding whether to impose a fine or the amount to be paid as a fine above thing should be taken into consideration. In many cases, Member States also has the ability to apply penalties for infringements to the GDPR.

According to my research on the topic, I need to highlight various new points to analyze the recent data protection reform of the European Union (EU). It introduces the drivers of the reform, in particular by looking at a few seminal judgments of the court of Justice of the EU. Against this backdrop, the articles highlight the key changes that the new General Data Protection Regulation brings out, assess their implication, and seeks to situate them in the wider context of the digital economy and its governance. I have stated various points :

The first major issue that I would like to mention for the readers is that GDPR Regulations is very expensive and also compliance is very complicated hence it is not mandatory for all the companies to appoint the Data Protection Officer (DPO). These companies can heir a Data Protection Officer and can appoint as a when GDPR regulations need to be complied on.
The second major issue that I would like to bring in is the concept of data localization. This issue is raised as to when we compare the data localization of China and Russia the researcher found out that in those countries the data is restricted to the same jurisdiction. Hence, In India, this type of Data Protection is never seen.
The third major issue I would like to state that GDPR places greater accountability requiring greater documentation and records.
In the end, I would like to conclude by saying that GDPR adds to the Betterment of the nation as it is having a great impact on data privacy. It will be able to strengthen the digital world as every jurisdiction have to apply GDPR laws, rules, and regulations. I would like to state that in my research work when I compared China, Germany that are having their own data privacy laws in their jurisdiction only if this type of law comes to India then I feel India would be much more protected as compared to these areas.


[1] W.Greogory Voss is a professor of Bussiness Law at Toulouse University, Toulouse Bussiness Law Toulouse University, Toulouse Bussiness School, and a member of the Institute de Recherche en Droit European International, France.

[2] The GDPR entered into force on May 24, 2016, and will be effective as of May 25, 2018, Directive 2016/680 entered into force on May 5, 2016, and will be effective as of May 6, 2018.





[7] The specific requirements of Article 8 of the Charter are reflected inter alia in Articles 6,7,12 and 28 of the Data Protection Directive

[8] Case C-131/12, Google Spain SL and Google Inc v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalea. The judgment of the court( Grand Chamber) of 13th May 2014, ERC[2014]317(hereinafter Google Spain)


[10] https://globalfreedomofexpression.columbia.ed













[23] Eearst and young cyber rules on general data protection laws


Legal Forms Lambda Legal GDPR Alliance European Commission



Simrin Kapoor

Is a Book Reviewer, Social Media Marketing Coach, Content Creator. Has passed her law this year. Reach her on - @simrinkapoor95