GDPR – Everything you need to know

Rule certified

GDPR and the data protection regulation - What does GDPR mean in practice?

The General Data Protection Regulation (GDPR), which entered into force in May of 2018, means that there are now common data protection rules for all companies and organizations operating in the EU, regardless of where they have their original registered office.The stricter data protection rules mean that:
  • Private individuals now have greater control over their personal data and can better protect their privacy
  • companies can operate and manage personal data on fair terms
  • Activities between countries within the EU are now subject to the same rules and responsibilities

What GDPR means and what GDPR law means

What is GDPR and what does GDPR stand for? GDPR stands for General Data Protection Regulation and it is the name of the new data protection regulation as we call it in Swedish. On the 25 of May 2018, the new Personal Data Act (GDPR) entered into force. This regulation is recognized throughout the EU, which means that the differences that previously existed between the countries have more or less disappeared completely. The same rules now apply to all companies and businesses within the EU.If you process “GDPR-sensitive” information, which means data that makes it possible to identify a natural person within the EU, you must do so in accordance with the GDPR. This applies above all to companies, organizations, authorities, and other public bodies. From the date of entry into force of the Data Protection Regulation, the GDPR always applies to the processing of personal data.

What does GDPR mean in short?

GDPR is an EU regulation that deals with the handling of personal data. GDPR in short means that you as a company may not use people’s personal data in any way without the consent of the person in question.


What does GDPR mean for private individuals?

The Data Protection Regulation, GDPR, strengthens your rights as an individual and citizen. As an individual, you have the right to know what personal information about you a company or organization has collected. You also have the right to correct incorrect personal information about you and in some cases also the right to have your information deleted.

Data Protection Regulation and GDPR background

Why was the Data Protection Regulation (GDPR) enacted? Well, the purpose of introducing the GDPR was to harmonize laws on privacy throughout Europe. Mainly to protect and give all EU citizens greater data security. It has also meant that, at a strategic level, it has been necessary to reshape how organizations must process personal data.The GDPR can feel cumbersome, overwhelming, and in some cases frightening, mainly because the consequences of violating the GDPR can be devastating for companies. The fear of making mistakes has resulted in many companies, especially retail stores, not daring to register customers’ memberships, which of course affects the growth of their customer base. But the fact is that the GDPR is intended to simplify the management of European laws and it greatly benefits companies that operate internationally.

What does GDPR mean in practice?

The Data Protection Regulation GDPR has a basic structure based on 7 principles and you may only process personal data if you meet the requirements set by law:
  • You may only collect personal information for a specified and specific purpose.
  • You may only collect personal information that is necessary to fulfill the purpose.
  • If you handle personal information, you must keep it correct and up to date.
  • When the purpose has been achieved, the personal data must be deleted.
  • Personal information must be stored securely so that it is not altered or stolen.
  • You must be able to prove that you meet all the requirements and how this is done.

How long can you keep data about a customer?

What does the right to be forgotten mean? According to our data protection ordinance and IMY, personal data may be stored for as long as they are needed for the specific purpose of the personal data processing. When the personal data is then no longer needed for the purpose, you must delete or de-identify them as soon as possible.The right to be forgotten means that regardless of whether a customer has given their consent that you may handle their personal data, the person also has the right to revoke their consent.This means that as an individual you have the right to turn to a company, authority or the person who processes your personal data and ask to have your data deleted.

In which cases is the GDPR applicable?

Overall, all measures that utilize personal data are considered personal data processing. This applies, for example, to the collection, organization, registration, structuring, storage, processing, reading, use, production, dissemination, or that they are otherwise provided, adjustment, merging limitation, destruction, or deletion of personal data.The scope of the GDPR is usually divided into two aspects: the material scope and the territorial (geographical) scope. It is required that personal data processing is covered by both the material and the geographical scope of application for it to be covered by the GDPR and that there is no type of exception that states that the processing is not to be covered by the GDPR in that case.

Who is the control body for GDPR in Sweden?

IMY (integrity authority) is Sweden’s national supervisory authority for the processing of personal data. They work to protect personal data and ensure that they are handled correctly and do not end up in the wrong hands. If you think that someone is processing personal data about you in a way that is contrary to the Data Protection Regulation (GDPR), you can lodge a complaint against them.

GDPR cookies and consent

Cookies are an important and very effective tool that can give companies and marketers a lot of insight into their users’ online activity. As most cookies collect and process users’ personal data, they are also covered by the rules for consent in accordance with the GDPR. 

The rules for cookies are divided between the GDPR and the ePrivacy Directive (the European cookie law). According to the ePrivacy directive, you must obtain the consent of your users to legally use cookies, i.e. to place cookies on their devices. This is also the reason why pop-up messages appear when you enter new pages that tell you that they use cookies and that you must give your consent to it.

GDPR summary

To tie the knot, we will summarize here the most important points since the data protection regulation GDPR came into force in the form of a GDPR summary:

  • What is GDPR? GDPR is an EU law with mandatory rules for how organizations and companies may use personal data in a privacy-friendly way. Today, the same rules apply to all companies and businesses operating in the EU.
  • Why is the GDPR needed? The GDPR is designed to protect the privacy of citizens and individuals and is an upgrade of the EU’s previous EU data protection directive.
  • The most important practicals: In summary, the meaning of the GDPR is that the law establishes obligations for companies and gives rights to citizens. It is therefore wise for companies to establish and keep their data protection program up to date. If you want to ensure that you follow the rules of the letter, you can check this GDPR checklist.

Explore Rule Free, without even having to register a debit card.

Discover how you, with the help of Rule and smart communication, can drive growth through increased engagement. 


  • Pre-made templates and free emails
  • Try our features in your own pace
  • No lock-in period or hidden extra fees

Get a personal demo of Rule

Discover how you can increase digital engagement and growth in a personal demo of our platform.