The General Data Protection Regulation (GDPR) sounds like something for lawyers and the privacy team. In practice, though, it shapes how you handle the data of colleagues, customers and citizens every single day. This article explains in plain language what the GDPR is and, more importantly, what it asks of you in your work.
What is the GDPR, really?
The GDPR is the European privacy law that has applied across all member states since 2018. It protects personal data: any information that lets you identify a person, from a name or email address to a staff number or photo.
The idea behind it is simple. People should be able to trust that organisations handle their data carefully. The GDPR sets out when you may use data, how long you may keep it and what rights people have. Each member state has its own supervisory authority that oversees compliance and can issue fines.
Why this is your concern too
It is tempting to think privacy is the responsibility of the IT department or the data protection officer. But most privacy incidents do not stem from a technical fault; they come from an everyday action: an email to the wrong recipient, a file shared too widely, or data pasted into a free online tool.
That is why the GDPR concerns everyone who works with data. Not because you must memorise the law, but because your daily choices determine whether it is upheld in practice.
The heart of the GDPR in five habits
You need not be a lawyer to respect the GDPR. Translate the law into a few habits:
- Use data only for its intended purpose. Customer data you received for an order is not for a marketing mailing.
- Collect no more than you need. Ask only for what you actually use.
- Share deliberately. Check the recipient and attachment before sending, and share folders with named people rather than "anyone with the link".
- Do not keep data forever. Data you no longer need should be cleaned up.
- Report doubt. If you see something go wrong, report it straight away so the damage stays limited.
Special data: extra care
Some data is extra sensitive: health, religion, ethnicity, political views, biometrics. The GDPR calls this special category data and sets stricter requirements. If you come across it in your work, treat it with extra care and share it only through approved channels.
A good rule of thumb: would you want this information about you lying around? If not, you know extra caution is warranted.
How to embed this in your awareness programme
GDPR awareness belongs in every basic programme, not as a one-off legal session but as a recurring theme with recognisable examples from real work. Short modules showing how a breach actually happens stick better than a list of legal articles.
Combine that with a simple reporting route. The easier and safer it is to report doubt, the sooner you spot an incident in the making.
Related articles
FAQ
What exactly is personal data?
Any information that lets you identify a person directly or indirectly: a name, email address, phone number, staff number, photo, or even a combination of separate details that together point to one person.
Does the GDPR apply to me as an ordinary employee?
Yes. You need not memorise the law, but your daily choices determine whether it is upheld. Most privacy incidents come from everyday actions, not technical faults.
Who supervises the GDPR?
Each EU member state has its own data protection authority that oversees compliance, investigates and can issue fines. At EU level, the European Data Protection Board coordinates between them.
What is special category data?
Extra sensitive data such as health, religion, ethnicity, political views and biometrics. Stricter rules apply; only process and share it under strict conditions and through approved channels.
What should I do if I accidentally leak data?
Report it immediately to your IT or privacy officer, even if you are unsure how serious it is. Reporting quickly limits the damage and lets the organisation take the right steps in time.