The General Data Protection Regulation (GDPR), aka the Algemene Verordening Gegevensbescherming (AVG) in the Netherlands, came into force on May 25, 2018. In the Netherlands it replaced the former data protection legislation.

The regulation recognizes that people have a digital footprint that can identify personal and private details, that individuals have a right to control information about themselves, and that this information is not a free-for-all commodity to be commercialized.

The GDPR is designed to:

  • give individuals more power to control their own personal data, including the power to be “forgotten”
  • ensure personal data is securely stored, backed up by hefty fines for breaches. (up to 20m euros or 4% of turnover)
  • improve trust and harmonise data protection laws across Europe.

The GDPR applies to personal data—this is anything that relates to or can be used to identify a person in any way, such as name, address, photo, social media accounts, email, bank account, IP address, and medical records. Data means digital files, but also well-structured physical files (which would let many of the journalists I know off the hook).

In a nutshell, GDPR is about recognizing that personal data is a precious thing and individuals own their own personal data. Think of personal data as a digital diamond ring; you must have permission to handle it and share it with other people or you’ll be faced with a big bill if it goes missing.

The journalism exemption

Much of what journalists do is subject to an exemption that allows them to actually do their work. However, not exempt is the responsibility to ensure the personal data being held is secure by using encryption on devices, locked cupboards and even diligent checking of emails to make sure they are not sent to the wrong person through a CC (rather than a BCC). This could also potentially include handing over a group email address for purposes other than what it is intended for.

The journalism exemption covers a wide range of people, not just journalists. It pertains to journalistic purpose, the intention to publish and public interest rather than defining who is a journalist.

This document is designed to be a GDPR in a (very small) nutshell. For more in-depth briefings see the following links or just Google:

Guidance for freelancers from the NUJ. (Note this is a members-only resource)

Normally the NUJ offers training, but this is suspended until the end of May due to Covid-19. Check the NUJ website for resumption dates.

GDPR for business briefing from