GDPR in a Nutshell

GDPR in a Nutshell

GDPR can be summed up in this one sentence – ask permission, respect the privacy of the subject, value and protect their data.

To illustrate this, if we can envisage personal data as something monetarily and emotionally valuable belonging to someone else that we would like to borrow for our use. For illustrative purposes, lets say this is an expensive sports car we are borrowing from our neighbour.

Seek permission to use

I have to first ask their permission. I can’t just take it and drive away. It would be illegal, pee him off and he might call the police. Think of this as consent (as you don’t have legitimate use such as a rental or lease agreement)

Maintain trust

It does not mean I can off-road with it or give it to my mates to joy ride in it or even sell it off. Think of this fair and lawful processing, no abusing or sharing without consent.

Provide assurance

He will also want me to be transparent and let him know what I will be using his car for. Whether I will have any passengers and that I will look after it.  This your privacy policy.

Protect it whilst in your possession

He will also expect me to park it in a safe place and lock the door so that it is not damaged or stolen. Think of this as security.

And if it did get stolen or damaged, he would expect to be informed a.s.a.p and would expect you to report it to the authorities. So that he is protected from the consequences. Think of this is breach notification.

Sure, he would expect me to keep it clean and ensure it is insured, MoT’d, taxed and roadworthy. Think of this as keeping the data up to date, accurate, complete etc.

Personal data is a loan or a gift

The data still belongs to the subject. It is not ours to use and abuse as we like. We must start thinking of it as something precious and a personal gift or a loan that we need to look after. In business terms, think of the data subject as the most important stakeholder here.

I must also be prepared to acquiesce to his request to modify my driving behaviour, not speed, off road, take part in race or simply stop driving it and return the car when he asks for it. Think of this as the subjects rights under the GDPR.

Be accountable for your actions

And of course, if I do abuse it then I will have to pay for damages, and may end up in prison if I really take the P. This is being accountable.

Be prepared to pay for misuse or abuse

If I did all the above to the best of his expectation, to a certain expected standard (e.g. GDPR) of due care and I can prove it to him, then even though there are some scratches or minor damages, he may not be too upset. And even if made a claim, there would be mitigating circumstances that would be taken into consideration if I’m penalised by the authorities.

A very simple analogy that I hope helps to convey the essence of what GDPR is. You wouldn’t abuse your neighbour’s car entrusted to you then why would you abuse someone’s personal data?


This and other articles can be found at

Author : Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF – is a certified GDPR and Cybersecurity practitioner. He as a security practitioner has written, tested, embedded many incident management plans and process and dealt with many incidents and data breaches. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers

If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.

If you are interested in our One day GDPR How-to Master Classes please register here at Cyber Counsel.

Copyright Cyber Counsel