What Data is Protected Under the GDPR?

Any information that is considered personal and can be used to identify an EU citizen is protected under the GDPR. This includes, but is not limited to:

  • Name

  • Photo

  • Email address

  • Social media posts

  • Personal medical information

  • IP addresses

  • Banking information

Minors cannot legally consent to the use of their personal data. Therefore, parents or legal guardians must give consent for any individual aged 16 or under.

Why Should Companies Comply with GDPR?

Failure to comply by May 25 may result in severe fines, up to 4% of global annual turnover or €20 million, whichever is greater. Additional penalties may be imposed depending on the severity of the violation.

Most importantly, non-compliance can result in loss of customer trust. GDPR compliance demonstrates transparency and builds confidence among your website visitors and clients. In other words, GDPR is not just a legal obligation — it’s good business practice.

What Happens in Case of a Data Breach?

A data breach occurs when personal data is accessed without authorization. Under GDPR, businesses are required to notify the relevant data protection authorities within 72 hours of a breach. Affected individuals must also be informed as soon as possible.

The primary objective of the GDPR is to safeguard users’ personal data.

How Should the New Privacy Policy Be Presented?

Now that the rationale and key provisions of the GDPR are clear, here are some basic guidelines for writing your compliant privacy policy:

  • Keep it short and clear.
    Your privacy policy must be concise, accessible, and written in clear language — understandable even by children — and provided at no cost.

  • Explain how you use the data.
    Clarify how collected data will be used. For example, mention if it will be used for marketing purposes or shared with third parties.

  • Explain cookie usage.
    If you use cookies for personalized advertising or to track user behavior, visitors must be informed.

  • Be transparent about sharing data.
    Disclose who the data may be shared with and for what purpose (e.g., advertisers, social media platforms, customer service providers). Not informing users is illegal.

  • Explain individual rights.
    Users must be informed about their data privacy rights, including:

    • The right to request deletion or correction of their data

    • The right to access data held by the business

    • The right to data portability

    • The right to consent to data usage