Follow us

How to Explain GDPR to a 5 Year Old

By | November 14, 2017 in General IT

How to Explain GDPR to a 5 Year Old

If you’re not familiar with the new EU General Data Protection Regulation (GDPR), then you’d better start learning now. Even if you’ve never been to Europe you still need to obey this law if you ever use or manage ANY personal data about anybody who lives in the EU.

GDPR will come into force in May 2018, and it’s complicated. If you work for a huge multi-national company with a dedicated information security department they’ve probably been working on this for at least a year so you’re unlikely to have much to worry about.

But what about the rest of us? What do we need to do to be ready for GDPR?

Well, obviously the first step is to understand what we’re being asked to deliver. Unfortunately, most explanations of GDPR are quite complex, but though it may be difficult to explain GDPR in terms that make sense even to a five year old, it’s not actually impossible. Instead of talking about sharing information, I can illustrate most of the key points by talking about sharing toys.

For anyone who wants to read an explanation in more formal language, I’ve taken all my headings from the UK Information Commissioner’s Office Overview of GDPR. I’ll explain what each of these headings means by using my toy-sharing analogy.

The GDPR Principles

Lawful Processing

Sometimes you want to share your toys with other children, but sometimes you don’t. That’s fine. You’re allowed to share your toys if you want to, but you don’t have to. You can keep some toys just for yourself. If someone wants to play with your toys then they should ask you first. If you say “yes” they are allowed to play with the toy. Of course, that only counts if you have a real choice. If another child threatens to hit you if you don’t say “yes” then that isn’t fair.

Sometimes other children are allowed to play with your toys without asking. For example, if your friends are waiting in your house for you to come home to play football, it might be okay for them to practice with your football while they’re waiting. Sometimes your parents might give someone permission to play with one of your toys, even though you would rather they didn’t. That might make you feel sad or cross, but the other child wouldn’t be doing anything wrong when they played with the toy.

GDPR says that all processing of personal data must be lawful. The simplest example of lawful processing is when someone gives you permission to process their data, but there are other circumstances that can make your processing lawful, for example if you need to use the data to deliver a service that the customer has bought from you, or if a court of law instructs you to do something with the data.

Individual Rights

If you lend a toy to a friend, it’s still your toy. Your friend needs to look after your toy properly and make sure they act fairly to you.

The following are your rights – with your toys and your data.

The right to be informed

When someone wants to borrow a toy, they must identify themselves, tell you what toy they’re borrowing, how long they’re going to keep it, and who else they might share it with; and they must be aware that you can ask for the toy back at any time. They should also let you know who you can go to, to complain, if they aren’t being fair.

Similarly, with your data: If you ask a user to share their data with you, you must identify who you are, what data you need, why you need it etc.

The right of access

If you ask someone which of your toys they’ve borrowed, they must let you know. It might take them a little while to be 100% sure of exactly which toys of yours they’ve got, but they must tell you within one month of you asking. If there’s a really good reason, then it might take up to three months, but they can never take longer than that.

Similarly, with your data: If someone asks your organization what data you have about them, you must respond within one month, or in some circumstances you may have up to 3 months.

The right to rectification

If someone borrows one of your toys they must look after it. If they damage a toy, then you can ask them to fix it and they need to agree to that.

Similarly, with your data: If someone asks you to correct the personal data you have stored about them then you must do so.

The right to erasure (also known as the right to be forgotten)

You can ask someone to stop using your toy at any time, and they should stop straight away, unless they have a very good reason for carrying on. For example, if they’ve borrowed your bike then they might need to get home first. Bottom line - they shouldn’t keep the toy after you’ve asked them to give it back.

Similarly, with your data: If someone withdraws their consent for you to process their data, or if the data is no longer needed for the purpose for which it was collected, then you must erase the data. Of course you are allowed to keep the data if it’s needed to defend a legal claim or for some other good reason like that. 

The right to restrict processing

If you ask someone to stop playing with your toy, you might not want it back straight away. You could let them keep the toy for a while, but not play with it. They still have to look after the toy and make sure it stays safe.

Similarly, with your data: If someone asks you not to use their personal data, then you must not use it any more. This might happen if there is a dispute about your right to use the data, or about the accuracy of the data.

The right to data portability

If you ask someone to give your toy back, then you should be able to use it as originally intended when you get it back. For example, it wouldn’t be fair if they borrowed your bike, then took it apart and gave you back a box full of bike parts, would it?

Similarly, with your data: If someone asks for a portable copy of their personal data then you must provide it to them in a commonly used, and machine readable, form.

The right to object

If you don’t like the way that someone is using your toy, then you can ask them to stop. They must stop straight away, unless there’s a very good reason not to. For example, if they’re using your skipping rope to save someone who is stuck in a river, then they can continue.

Similarly, with your data: If someone objects to how you’re using their personal data, then you must stop processing it, unless you can show compelling reasons why you have to override their rights. If you’re using the data for direct marketing, then there are no exemptions or grounds to refuse.

Rights related to automated decision making and profiling

When you lend your toys, you need to be able to talk to a real person about what they’re doing with them, and why. It’s not right if a computer makes all the decisions without explaining. Let me explain…

Suppose you lend all your toys to a toy library that has a computer in charge of lending and returns, and fining people for losing or damaging toys. The toy library must make sure that you can talk to a person, and not just a computer, if one of your toys gets lost, or if you’re fined unfairly for not returning a toy that you know you’ve returned. You must be able to tell that person what you think is wrong, and they must explain what has happened.

This rule doesn’t always apply. It doesn’t apply if you make a deal with the toy library that allows the computer to make decisions without having to talk to you about them; and it doesn’t apply when there are laws that allow the computer to make decisions. It also doesn’t apply to decisions that don’t have a bad effect on you - for example deciding to close the toy library a few minutes early on a day you didn’t visit, or fining someone else.

Similarly, with your data: If you use automated processing to make decisions that affect people, then you must make sure that they can talk to a human being about the decision and be offered an explanation and an opportunity to challenge the decision.

Accountability and Governance

If somebody borrows your toy, then they might have to show that you gave them permission, and that they looked after it properly. It’s not enough to ask for permission and take good care of the toy, they must be able to prove that they did so.

Organizations need to keep good records, so they can prove that they have lawfully obtained and processed data. It’s not enough to just show you had no breaches, and nobody complained.

Breach Notification

If someone breaks a toy that they’ve borrowed, or loses it, then they must tell you within three days. If they just lose it for a few minutes and then find it again, and nothing bad happens to you because of this, then they might not need to tell you. But they must tell you about any serious loss or damage.

They must also tell your parents (the “regulatory authority”). They must explain whose toy it was, what damage was done, what they’re doing to make up for it, and how they’re going to stop it from happening again.

Many organizations will find this requirement to notify the authorities, and the affected people, within 72 hours of a data breach quite difficult. You need a well-designed and rehearsed security incident management process. If you get this wrong, then it could be very expensive.

Transfer of Data

You’re allowed to lend your own toys to other people, but if you’ve borrowed someone else’s toy then you can’t lend it to another person, unless you can be certain that the person you’re lending it to will look after it just like you would.

Personal data can’t be transferred to another organization unless you ensure there are adequate safeguards. There are further specific requirements for data being transferred outside the EU.

National Derogations

Sometimes there are special, local, rules about lending toys. For example, one country might have a law saying you can’t lend toy guns to people. In another country there could be a law saying that the church can borrow religious toys without having to ask for permission.

EU governments can introduce exemptions from some of these rights, but only for specific reasons such as national security or law enforcement.

My Conclusions

GDPR is going to have a huge impact on any organization that controls or processes personal data. You not only have to comply with all the requirements, but you must be able to produce records showing that you have. This regulation applies to any organization that offers goods or services to individuals in the EU, even if they are based somewhere completely different.

If you haven’t started planning for GDPR yet then you urgently need to get started. There is a lot of work to do to ensure that you are compliant, and that you can show that you’re compliant. You’ll find there are lots of “GDPR consultants” ready and willing to help you, but do take care to review their experience before taking them on.

Remember, you can’t borrow toys without having permission (or another legitimate reason), and you must look after them properly.

I hope my analogy* clarified a few things. Please do let me know if you have any comments or questions.

* With thanks to Moyn Uddin for the idea of comparing GDPR to lending something physical (

Stuart Rance

About Stuart Rance

Stuart is an ITSM and security consultant, working with clients all round the world. He is one of the authors of ITIL 4, as well as an author of ITIL Practitioner, ITIL Service Transition, and Resilia: Cyber Resilience Best Practice. He is also a trainer, teaching standard and custom courses in ITSM and information security management, and an examiner helping to create ITIL and other exams. Now that his children have all left home, he has plenty of time on his hands for contributing to our blog - lucky us!

32 thoughts on “How to Explain GDPR to a 5 Year Old”

  1. Avatar Kwame

    Amazing analogy Stuart! I think I may try using this to explain to a few small charities I’m going to be dealing with. Thank you Thank you Thank you (notice how many)


  2. Avatar Andries Bosma

    Interesting article. We use sysaid cloud for incident management, and of course some personal information about the requestor is processed. Are we required to enter into a formal data processor agreement with sysaid to be compliant with GDPR?


    1. Stuart Rance Stuart Rance


      I can’t offer specific guidance here, especially as this may have a legal or regulatory impact on you.

      In general, if you are responsible for personal information of people in the EU then you must ensure that all your suppliers who have access to that date treat it in a suitable way.


  3. Avatar Oded Moshe

    Hi Andries,
    The GDPR states that a data controller (in this case a SysAid customer) must have a written contract in place with a data processor in cases where personal data will be processed by a data processor (SysAid, in the case of the cloud solution). The main objective of this requirement is to ensure responsibilities of each party are clear. Briefly, the processor’s responsibility is to act only according to the instructions of the controller, and to take all measures to ensure that personal data is secure.
    SysAid will release an addendum to each of its cloud customer’s agreements stating it’s responsibility as a processor, during Q1 of 2018.
    Hope this helps –
    Oded (VP Products, SysAid)


  4. Avatar Adrian Sim

    Stuart, absolutely oustanding analogy, im currently helping my sons school come to terms with what is about to hit and this fits the bill perfectly, I hope there would be no objection to my use of your work? Thanks again, excellent work.


  5. Avatar David Faulkes

    Hello Stuart
    This is a superb article.
    Either you spent many hours writing it, or you have an intellect the size of the planet. In either scenario…Thank you very much.
    David Faulkes


  6. Avatar Vijay

    Hi Stuart,
    I have been doing some research about GDPR recently and your article stands out amongst the jargon-heavy/complex ones that I’ve read so far.
    Very well articulated and easy to comprehend.

    Thank you


  7. Avatar Durai

    Excellent analogy Stuart. I am about to explain the GDPR to my team. Is it ok to use your analogy to explain the GDPR, please? Thanks.


Leave a Reply

Your email address will not be published.