What Is the General Data Protection Regulation?

The General Data Protection Regulation, commonly known as GDPR, is made to protect personal data. There are rules made to secure the data subject’s rights when their personal data is processed in either a municipality or a corporation. For example, there are rules regarding how personal information can be stored and how long an organisation is allowed to be in possession of them. GDPR can, at first glance, seem hard to navigate through but with the right GDPR awareness training, you and your employees will quickly get an understanding of the rules. We use every day examples and cases to explain the articles in the GDPR in an easily understandable language.


In this article, we will go through some of the topics within GDPR. 

Why is GDPR important?

If the information is not managed correctly it can have fatal consequences for the person to whom the information concerns. It can also have consequences for the person or organisation that did not manage the data correctly. Therefore, it is important to comply with the rules, as otherwise, it can result in large funds and injunctions.

If you are interested in seeing our GDPR awareness training, you can book a demo of the course.

GDPR In Short

In short, GDPR is about protecting personal information. Within GDPR, a distinction is made between regular personal data and sensitive personal data. 

What Is Regular Personal Data?

Regular personal data is e.g.:

  • Name
  • Address
  • Phone number
  • Working position 

What Is Sensitive Personal Data?

Sensitive personal data is information regarding subjects such as: 

  • CPR-number
  • Health issues (cause)
  • Race or ethnic origin, political, religious or philosophical beliefs. 
  • Trade union affiliation
  • Processing of genetic or biometric data for the purpose of unique identification, e.g. fingerprints
  • Information regarding a person’s sexual relationship or sexual orientation 
  • Other conditions that indicate unique personality traits and/or information that is specific to the individual. 

Data Controller and Data Processor

When complying with the GDPR rules, it is important that you are aware of the terms “data controller” and “data processor”. 

According to the Danish Data Protection Agency’s description, a data controller is “a natural or legal person, a public authority, an institution, or other body that individually or in collaboration with others determine what purpose and with what aids personal data may be processed.”

A data controller has a duty to report any breaches on the Danish Data Protection Act within 72 hours. You can read more on how to report security breaches on the Danish Data Protection Agency’s website. 

A data processor is as said “a natural or legal person, a public authority, an institution, or other body, that treats personal data on behalf of the data controller.”


You must be able to document a list of things in connection to GPDR compliance:

  1. What personal information are you processing?
  2. Why are you processing personal information?
  3. How are you processing personal information?
  4. Where (e.g. in what systems) are you processing the personal information?
  5. How long are you processing the personal information?

When you have mapped out the processes for how you and your colleagues process personal information, it is time to look into whether any changes should be made. Are there, for example, any places where you should improve the procedure for when to delete personal data, that you no longer need? 

Breaches and Consequences

It is important to comply with the rules as otherwise, it may result in a fine. The size of the fine you may have to pay depends on various factors. The size can range from anything between 150.000 DKK, as in the case of this management company, to 1,5 million DKK as in the case of this furniture company

Breach of Personal Data Security or An Information Security Incident? 

The Data Protection Regulation defines a breach as “a breach of security that results in accidental or illegal destruction, loss, alteration, the unauthorized passage of or access to personal data transmitted, stored or otherwise processed.” 

A breach of personal data security is also an information security incident. The ISO 27000-standard defines this concept as: 

“An identified occurrence of a system, service or network condition that indicates a possible breach of the information security policy or failure of controls, or a previously unknown situation that may be relevant for the security…”


A guide from the Danish Data Protection Agency

As the Danish Data Protection Agency writes in their guide, it is only “the information security incidents that result in accidental or illegal destruction, loss, alteration, unauthorized transfer of or access to personal data covered by the GDPR’s definition of a personal data security breach.”

An information security incident is therefore not always a breach of personal data security. For instance, multiple unsuccessful log-in attempts would be considered a security incident but not a breach of personal data security. 

In the case of an information security incident, it is in some cases more about cyber security. We have awareness training about this too and you can read more about it here.

4 Good Tips For GDPR

1. Use GDPR awareness training to educate your employees

Are you the GDPR-consultant or Data Protection Officer (DPO) in an organisation and are you therefore responsible for educating your employees in GDPR? And do you think it will be time-consuming and laborious for you to educate everyone in the organisation? Obviously, it will take a lot of your time, if you have to arrange physical courses and go around teaching everyone all the rules. If you choose our GDPR awareness training there are many benefits. Your employees can take the course whenever it suits them and with that, you will save lots of time. Your employees will not need to read through a legal text with heavy jurisprudence and they can instead learn via a more involving experience. With our online GDPR course, you can prepare your employees for the correct management of data.

It can be hard to find your way through the jungle of courses in GDPR. At MOCH we wish to make it easy for you to get an insight into the quality of our e-learning, and you can therefore book a demo of our course.

2. Use Suppliers That Comply With the GDPR Requirements

You must ensure that the suppliers you use comply with the GDPR requirements. It is e.g. important to have a data processing agreement. Learn more about how MOCH as an e-learning supplier complies with the GDPR requirements by reading our ISAE-3000 declaration. 

3. Only Store Data You Need

It is important to consider ‘what is nice to have?’ and ‘what is need to have?’. In many cases, storing information that was used for a short task is not necessary, and it should be deleted again. 

4. Store Physical Documents Containing Sensitive Information Correctly

  • Pick up your documents immediately after being printed. 
  • Store the documents locked while unattended.
  • Store the documents in fireproof cabinets. 
  • Destroy the documents safely, so restoring them is impossible. 
  • Set up access control in premises that store personal information. 
  • Be aware of uninvited guests at our workplace. 

Summary And Experiences Related To GDPR

If you have reached this part of the article, we would like to give you a virtual pat on the shoulder. GDPR is a rather complex subject and we will not get around it. GDPR is an important part of many people’s daily life and it is crucial for data protection that the rules are complied with. 

Our experience is that teaching your employees the rules the awareness training, that makes them remember what they have learnt, is an effective tool. The awareness training is built on pedagogical learning principles and highly involves the participant. By gamification and practice-based cases with examples from your everyday life, the participant is forced to take a stand on a number of situations.

More than 350.000 users have completed our GDPR awareness training and have raised the knowledge level in their organisation – should your employees be the next to do so?


General Data Protection Regulation, GDPR in short, is legislations made to protect personal information. The legislation applies in Denmark as well as in the rest of the EU.

Large as well as small companies and organisations must pay attention to GPDR, because the rules have significant meaning for the people to whom they belong. The rules are made to protect EU-citizens and their data, and because of this it can have consequences for those who do not comply with them. 

In the following section, we will give some recommendations on how to achieve GDPR compliance. You can consider it a sort of guide or check-list in regards to what you should be aware of.

GDPR is important to know both as private individuals and as employees managing personal data in relation to their work. GDPR is important to all types of corporations and organisations, large as well as small. As long as you are in possession of or otherwise manage the personal information of others, you have a responsibility to comply with the GDPR rules. Data Protection is about security for the individual who shares data with corporations and organisations.

GDPR stands for General Data Protection Regulation.

The Data Protection Regulation, officially called the Personal Data Regulation, is a law that is intended to protect personal data.


The Personal Data Regulation, also called The Data Protection Regulation, is a law that is intended to protect personal data.

The Personal Data Regulation entered into force on May 25th of 2018. When the new rules came into force, a way to train its employees in the rules was needed, and because of this, we had an e-learning course in GDPR ready.

You should have procedures for processing personal data in your corporation or organisation. You should know what rights the data subject has during data storage. 

All natural people are covered by The Data Protection Regulation.

The Danish Data Protection Agency is the central independent authority that ensures that the rules of data protection are complied to. They process complaints and carry out inspections of authorities and corporations. 

Read the other section about sensitive personal information higher up in the article. 

According to GDPR, personal data is information about a natural person that can be used to identify the person. See examples of sensitive and regular personal data higher up in the article. 

As the owner of a sole proprietorship, you also have a responsibility to process personal information correctly. You can learn more on

By having a website, you typically also collect personal information about your customers. Therefore, you should be aware of complying with the rules of GDPR.

GDPR also applies to small businesses and the rules of data protection lists a number of requirements that must be complied to when collecting, storing, and transmitting personal information about others, e.g. your customers and your employees. Read more on

The central independent authority that is responsible for monitoring compliance with the GDPR legislation in Denmark is the Danish Data Protection Agency.

Anonymisation must ensure that personal information can no longer be attributed to a specific data subject. 

Privacy by Design and Default is designing solutions in such a way that they fundamentally protect personal data. You can read more in the General Data Protection Regulation’s article #25. If you want to present it to your employees in a different way, without having to read a heavy legal text, they can take module 9 in our e-learning.

Comments are closed.