When achieving compliance with General Data Protection Regulation (GDPR), the amount of time spent by organizations attempting to define and decipher what regulation articles are applicable to a business can be overwhelming. We have broken down the regulation into chapter summaries, and also into three parts. Each part focuses on specific sections of GDPR.

PART 1: Definitions, Principles, and Rights

With 99 articles to review and comprehend, navigating the GDPR can be a challenge. Organized and broken down into sections - including a complete checklist-  the first three chapters of the regulation covers Articles 1-23. The breakdown of those chapters and articles follows below.


Chapter 1: Define, Define, Define

The GDPR welcomes you by defining the regulatory objectives and additionally defines territorial scope and terminology specific to the GDPR.

With a focus on fundamental rights and freedoms for individuals, the processing of personal data is introduced and reviewed.  Special attention should be paid to article 4, as this article defines 26 different terms. Defined by the GDPR, terms include; personal data, processing, restriction of processing, profiling, pseudonymization, filing system, controller, processor, recipient, third-party, consent, personal data breach, genetic data, biometric data, data concerning health, main establishment, representative, enterprise, group of undertakings, binding corporate rules, supervisory authority, supervisory authority concerned, cross-border processing, relevant and reasoned objection, information society service, international organization. 

Article 4 itself is hard to summarize, as the specifications regarding the data, businesses, people, and the processing of that data are relevant based upon an organization and criteria within the scope.

Key takeaways

Article 2: The material scope of the GDPR is laid out in this Article. 
Article 4: Definitions within this article should be reviewed and understood, as they are mentioned throughout the regulation.
A more in-depth look at specific GDPR definitions can be found at Definitions to Know for the GDPR. 

Chapter 2: Principles

This chapter, covering Articles 5-11,  discusses how you should treat data, and how the person who is processing the data has to demonstrate compliance.

This chapter also brings in consent, categories for personal data,  and when processing does NOT require identification (Article 11). In general, chapter 2 is lengthy and will take time to review, but is worth the review for consent and conditions.

Key takeaways

Article 5: Principles related to personal data processing. 
Article 7: Conditions for consent. 
Article 11: Processing which does not require identification.

With the strengthening of consent requirements, the request for consent must be given in an intelligible and easily accessible form. Most importantly, the purpose for the data processing must be attached to that consent, and withdrawal of the consent must not be complicated as well.

Chapter 3: Data Subject Rights

This chapter covers Articles 12-23 and explains the rights of the person, or “data subject” whose data is handled by the processor, controller, or by someone who receives the data. As with the previous, chapter 3 contains a large amount of information, including the right to be forgotten (Article 17).

Key takeaways

Article 12: Clear, concise, and comprehensible information. No longer can organizations use muddled and complicated language for capturing data.
Article 16: Right to rectification. An organization will have to correct/rectify inaccurate information about an individual.
Article 17: The right to be forgotten. Essentially, organizations need to be able to show they can trace and delete data on an individual.
Article 22: The right to not be profiled.  

Keep in mind, the GDPR was not created with the intent to complicate IT processes and procedures for organizations. Ultimately, the overarching goal was to formalize a regulation with a focus on protecting data subject rights.  Given the technological advancements of the previous decade, it may be surprising that this regulation has not been put in place sooner.

In Part II of this series, we will cover privacy by design(Article 25) and Security of Processing (Article 32). Additionally, we will cover the role of the DPO and reporting instances.  To learn more about the GDPR and compliance for your organization download the complete GDPR checklist today.


Jacqueline von Ogden
Post by Jacqueline von Ogden
May 9, 2018
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time