Data Privacy: California Data Protection policy and GDPR
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the EU and the European economic zone.


The General Data Protection Regulation (GDPR) is introduced by the European Union to safeguard the privacy of data for European citizens. In this digital age, many government establishments, private organizations, non-profit groups, etc. have access to our private information without our consent and are being abused. With the GDPR coming in, there will be transparency and strengthening of the basic rights of people. This data protection bill aims to provide people with better check related to the usage of their data. The GDPR consists of 11 chapters. This data protection bill mentions stipulations regarding principles, general prerequisites, data rights, supervisory authorities, duties of data controllers, and so on. The GDPR compliance statutes also deal with the transfer of private data to other nations, penal provisions, and responsibility and remedies for breach of rights, etc.

How is it done?

Unless a data material has provided informed consent to data processing for one or more purposes, personal data may not be treated unless there is at least one legal basis to do so. Article 6 states the lawful purposes are:

(a) If the data subject has given consent to the processing of his or her data;

(b) To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;

(c) To comply with a data controller's legal obligations;

(d) To protect the vital interests of a data subject or another individual;

(e) To perform a task in the public interest or official authority;

(f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).

GDPR Compliance may include:

  • Personal Data Protection Policy
  • Privacy Notice
  • Employee Privacy Notice
  • Data Retention Policy
  • Data Retention Schedule
  • Data Subject Consent Form
  • Supplier Data Processing Agreement
  • DPIA Register
  • Data Breach Response and Notification Procedure
  • Standard Contractual Clauses for the Transfer of Personal Data to Controllers
  • Standard Contractual Clauses for the Transfer of Personal Data to Processors
Who must comply with the GDPR?

Any organization that processes the private data of people in the EU must comply with the GDPR. "Processing" is an all-inclusive term that comprises just about anything you can do with data: collection, storage, transmission, analysis, etc. "Personal data" is any information that relates to a person, such as names, email addresses, IP addresses, eye colour, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.

What are the GDPR fines?

The GDPR allows the data protection expert/authorities in each country to issue penalties and fines to institutions it finds in violation. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. Data protection authorities can also issue penalties, such as bans on data processing or public reprimands.

How do I comply with the GDPR?

Organizations can comply with the GDPR by implementing technical and operational protection to preserve the private data they control. The first step is to conduct a GDPR evaluation to ascertain what personal data they control, where it is placed, and how it is achieved. They must also adhere to the privacy principles outlined in the GDPR, such as concerning consent and ensuring data portability. You may also be required to appoint a Data Protection Officer and update your privacy notice, among other organizational measures.

What is a Data Protection Officer?

A Data Protection Officer (DPO) is an employee within your organization who is responsible for understanding the GDPR and ensuring your organization's compliance. The DPO is the main point of contact for the data protection authority. Typically, the DPO knows both information technology and law.

Does the GDPR require encryption?

The GDPR requires institutions to implement "appropriate technical and organizational measures" to secure private data and implements a shortlist of options for doing so, including encryption. In many cases, encryption is the most feasible method of securing personal data. For instance, if you regularly send emails within your organization that contain personal information, it may be more efficient to use an encrypted email service than to anonymize the information each time.

Get Started.
Talk to an expert.
Simply enter your details and our legal expert will contact you to get started.
Looks good.
Our counsel will contact you shortly.
Your details have been submitted. We are getting the best legal advisor for you.
Oops! Something went wrong while submitting the form.
Related blogs
Curated knowledge from Legex Insights to help you learn
View All Blogs
Making legal work efficient, effective and empowering.
Save more and work Faster
We optimise legal operations to help you save >30% on legal fees while making processes 2x faster to stay ahead in business.
Relationship oriented
Our work spans law, compliance, audit, accounting & more, giving you one-point access to manage legal operations.
Faster growth
We help merge legal operations with business so that legal diligences becomes an instrument to analyse, learn and grow.
Comprehensive coverage
We leverage learning and knowledge across practices and services to provide most efficient solution and advisory.
Use and Reuse legal models
We build models for reiterative legal processes suited to your industry, so you can reuse them, save cost and work faster.
An experience
love to talk about.
Testimonial Image

"A culture of authenticity is about being genuine—and genuinely caring. Legex, with its expert team, cares about our business and their regular advisory help us grow, every day."

Shreya Mangeshkar

Triveni hotels
Thousands of scaling businesses love us