NINJIO has developed an original five-episode training series on GDPR compliance, designed to give end users a broad understanding of GDPR and the rules that apply to data subjects (people) and data controllers (usually companies). As with all NINJIO episodes, the series is presented through engaging, Hollywood-style storytelling.


This series is primarily relevant for employees who work for organizations that do business with the European Union and store personal information that belongs to EU residents. NINJIO GDPR training gives employees a broad understanding of GDPR and how it impacts their jobs on a day-to-day basis.”



In this episode, we explain that consumers have a right to know how you’re going to use their personal information. They can also ask why you need it and how long you’re going to keep it. Finally, if consumers want to know what personal data you possess, you’re obligated to tell them.




GDPR is for companies both inside and outside the EU, including American companies that frequently do business in Europe.

GDPR applies to any personal data as it relates to people, or ‘data subjects.’

GDPR went into effect on May 25, 2018, which was necessary because the last major data protection regulation came out in 1995.

GDPR applies to ‘data controllers’ ( organizations that have relationships with data subjects) and ‘data ‘processors’ (organizations that work for data controllers and process personal data on the data controllers’ behalf).


Data controllers and data processors need to keep minimal data.

Data controllers and data processors need to make sure their data are accurate. They need to secure it, and they need to keep it only as long as it’s absolutely necessary.

Data subjects, or as GDPR calls them—data subjects – have rights with regard to their personal data and what you know about them. These rights must be honored.


The processing of personal data needs to be lawful, fair, and transparent.

Data subjects should be informed about how their personal information is being used.

Companies should continually delete data that’s no longer needed ‒ another GDPR mandate.

Effective security measures must be in place, such as firewalls, e-mail content filtering, automated software updates, and security awareness training.


Data subjects have the right to request any mistakes in their data be rectified, which must be done in a timely manner.

Data subjects’ ‘right to be forgotten’ refers to their right to request their information be deleted. Exceptions to this rule do exist, however.

“Data portability” means a person’s data must be provided in a machine-readable format.

Data subjects can demand their data not be used for profiling or direct marketing.

If a computer makes a decision that creates a material effect, the data subject has the right to say “I’d like a human being to look at that as well.”

No fees can be charged to a data subject for requesting any of the above. Data processors and controllers have one month to respond to any inquiries.


Data controllers must be able to demonstrate they are GDPR compliant, which means having appropriate policies in place and adhering to them.

Due diligence must be taken in vetting third-party processors. The correct contracts must be used when partnering with them, and these contracts will likely need to be amended or revised to reflect GDPR requirements.

Every European Union member has a ‘data protection regulator.’ In the event of a breach, this person must be notified within 72 hours. If the breach is particularly high risk, the data subjects themselves may need to be informed.

If your company is of a certain size or type, and you are not established in the EU, you may need to appoint an EU representative.

Depending on the amount and type of data your company deals with, you may need to appoint a ‘Data Protection Officer.’

Failure to adhere to any of these rules could result in fines of up to 4% of gross revenue.