The EU's General Data Protection Regulation (GDPR)

The EU's General Data Protection Regulation (GDPR)

Last Edited September 11, 2023 by Garenne Bigby in Blog

May 25, 2018, marks the date when all companies that collect data from citizens of the European Union (EU) will need to abide by the new rules that govern the way customer data is protected. Whether it's providing personal data to companies who collect information for the sale of products or services or logging into apps or smartphones, the General Data Protection Regulation (GDPR) is set to initiate its approved legislation that puts forth new standards for consumers whose information is spread all across the internet.

In an effort to comply, security teams will be challenged as they revise the way they look at what is constituted personal identification information. The same level of protection will be required for an individual's cookie data or IP address as is needed for name, social security number, and address.

What is GDPR?

GDPR is a new set of rules designed to give citizens of the European Union more control over their personal data. It will put restrictions on the export of consumer data by companies, and give control to consumers and users to manage and own, cease sharing, or delete their personal data.

The first draft of this policy—the Data Protection Directive—was put into place in 1995, which helped assemble rules and regulations of online data use of its 28 EU nations. To further this collate, the GDPR is putting more emphasis on consent given to companies to access user information and ownership of user data.

This means that it will be high unlikely for companies to inveigle the system—bundling consent into confusing jargons that allow loopholes for the abuse of user data by organizations.

  • Data breaches. Under the General Data Protection Regulation, companies have a 72 hours' time span to notify users and/or the public of a data breach.
  • Users under the age of 16. Underage users require parental consent/approval before sharing information.
  • Plain language, easy-to-understand. User consent must be agreed to with plain and easy-to-understand policies. Users should also be given an efficient way to reverse their consent, if needs be.
  • Right to user data. New regulations also allow users the right to requests access to their information and to understand the extent to which it is used by organizations.
  • Stronger system protection. The legislation requires that stronger, more protective systems be put in place for users and consumers first, rather than profits or the needs of organizations.

Companies now have to be honest about data breaches when they occur—having only three days to notify the public and their consumers of such breaches. It also strengthens the rules for obtaining consent—underage users will have to get the approval of their parents before sharing information.

Since the occurrence of high profile breaches like the 2017 Equifax breach and Facebook's Cambridge Analytica data sharing, users have become skeptical when sharing their information online. A recent report by the RSA Privacy & Security highlighted that almost half of the respondents admitted to sharing false information when engaging with a company for commercial activities.

The GDPR represents a legislation that requires thorough planning and additional resources for business as it strengthens the need for self-assessment in data management.

Types of Privacy Data that is Protected by the GDPR

  • Basic personal information such as name, address, and identification numbers.
  • Genetic and health information
  • Biometric data
  • Sexual orientation
  • Ethnic data or racial data
  • Web data such as IP address, location, and cookie data
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions

Companies That the GDPR Affect

It applies to companies that process or store information about EU citizens, even if their physical location is not within the EU. Companies under these specific criteria must comply with the GDPR:

  • Companies that have a presence in an EU country
  • Have more than 250 employees
  • Processes personal of EU residence even if the company has no residence in the EU
  • Companies that have less than 250 employees but whose data processing is not occasional and impacts the rights of and includes certain types of sensitive personal data of EU residents.

A recent survey piloted by Propeller Insights highlights the industries that would be most affected: the technology sector, online retailers, software companies, financial services, online services/SaaS, and retail/consumer packaged goods.


GDPR Fines for Non-Compliance

Companies that don't, or refuse to comply with GDPR can face major financial penalties. The fine is currently set at 4% of a company's annual revenue or 10 million Euros, whichever amount is greater. For stricter penalties, it is 4% of worldwide turnover or 20 million Euros, whichever amount is greater.

Fines will depend on the severity of the breach:

  • Whether a company has taken compliance and security regulations seriously 
  • For unauthorized international transfer of personal data
  • Infringements of the rights of consumers and users
  • Ignoring a user's access request regarding their personal data

Companies with lighter penalties—those that mishandle data in other ways—will pay a lower fine of 2% of their worldwide turnover or 10 million Euros. The penalties include failure to ensure data protection, failure to report a data breach, and failure to integrate in privacy by design. A data protection officer should regulate these compliances. In essence, all organizations under the GDPR will need to ensure they have the necessary staff and skillset to be compliant with GDPR regulations. Failure to appoint an officer could be deemed as non-compliance and result in a fine.

Over 60% of people in the RSA survey blamed companies for data breaches instead of the hackers themselves. The GDPR agrees, and that's one of the many reasons for these new, stringent policies. Regulators will quickly act on companies not in compliance early, by sending them a message. 


GDPR Requirements That Affect Your Company

U.S. companies will be forced to change the way they store, process and protect users' data. Under the GDPR, companies will be allowed to process and store data only when consent is given by individuals and for no longer than is necessary for the intended purpose for which the data will be processed. Companies must also erase personal data upon request, and the data must be transferable from one company to another.

There are certain exceptions, however. The GDPR does not surpass any legal requirements that an organization keeps certain data, like HIPAA health records.


How to Tell if the GDPR Applies to You

The GDPR reaches across every industry in protecting its EU-citizens. U.S. companies will have to comply with the new legislation if they serve EU users. Even if persons visit your website or use your application by chance, they are protected.

As long as you collect data from an EU audience—whether it's from newsletter subscriptions or while developing an app—your company must adhere to the GDPR. This makes it an urgent need for businesses to put the necessary rules in place as soon as possible.


Can an Organization Get Exempted From the GDPR?

Yes—but with conditions. If your business does not target EU users nor does have dealings with them, you'll probably fall outside the range of the GDPR. An EU user who finds a website that is not under the legislation of the GDPR (a website not intended for an EU audience), will not be protected by them GDPR.

Reviewing your Google Analytics report can help you to see if your website is engaging with EU visitors, and the necessary steps to put forth adhering to GDPR.


The GDPR and Third-Party and Customer Contracts

A third-party vendor is an entity that process personally identifiable information on behalf of a controller. Equal liability is placed on these data processors and controllers (entities that determine how data is processed and for what reason). Having dealings with a third-party processor that is not in compliance with the GDPR means that your company is not in compliance. Failure to report braches by anyone in the chain and to inform users of their rights under the GDPR will also attract strict penalties.

This, therefore, means that existing contracts with processors (example, payroll service providers, cloud providers, or SaaS vendors) need be revised to ensure compliances are met. The contracts also need to reflect the regulatory changes—how data is protected and managed, and how breaches are reported.

Security teams, business, and IT leaders need to be knowledgeable as to how data is stored, processed, and exported to—as well as agree on a compliant process for reporting. Once those keys areas are understood and the impact it will have on your company is recognized, you will know how to better manage the relationship with your third-party vendors, as well as identify the ones that you need to be more focused on.

Have a discussion with your third-party partners. Check to see what certifications they employ and whether they are in compliance with the regulations of the GDPR. Do they have the necessary tools to retrieve, delete, or pseudonymize data? You are in this together—maintaining a good relationship with help you to work together more freely.


How to Adhere to the GDPR

If you have not already done so, being in compliant with the GDPR requirements should be your top priority. Not only should you be fully covered, but your third-party partners should also be in full compliance.

Revise Your Company’s Privacy Policies

A clear and easy-to-understand privacy policy about the use of collected information is fundamental to GDPR. When asking users for personal data, even for the most basic required for registering or to join your mailing list, ensure that the language used to explain how this information is collected and used by your company is plain and simple. Users should also be given the option to reverse or opt-out when necessary.

Get Active Consent

Making assumptions where consent is concerned is not a safe practice. If designing a data-collection mechanism or web-store checkout, an opt-in form, ensure that you explain clearly to users what they are opting into and how their data will be used. The opting-in action should be active rather than passive, as it is against the rules of the GDPR for organizations to assume that a failure to opt out denotes consent, or to rely on pre-ticked boxes. All conditions must be obvious—laid out in details—separately from your general terms of services.

This also applies internally. Employers must obtain active consent from employees when adding their personal details to databases. This doesn't mean that you are to undertake a whole new approach—refreshing existing consents in preparation for the GDPR. If you continue to bank on previously granted consents, make sure that it meets the required standards on being clear, specific, opt-in, prominent, easily withdraw, and properly documented.

If you are not certain if your data processing requirements are properly met, your safest bet would be to contact all subjects on your database to get a GDPR-compliant consent.

Integrate Your IT and Marketing Teams

Bring your IT and marketing teams up to speed so that they understand what's happening on both sides of your company; from global marketing efforts to cyber technology—and how they can work together to meet the required standards.

Seek Legal Advice

Meet with your legal team or any authorized agents to discuss the needed changes to be in line with what the new GDPR rules require of affected organizations.

Keep Your Users Informed

GDPR requires that customers and citizens be given the right to contest your use of their personal information or to revoke their consent at any given time. As already mentioned, it's best to hire a data protection officer to handle these dealings. Additionally, these details must be available to each state's Supervisory Authority. This is an independent body that seeks to protect the rights of European citizens by investigating complaints and liaising with other member states' Supervisory Authorities, administered by the European Data Protection Board.

An explanation outlined in plain language of how data is collected, used, and for what purpose, must be provided alongside your contact information. In addition, any interests that the controller and third-party processor who will receive the data might have, must be clearly explained.

Additional conditions apply if data wasn't directly obtained from individuals—for example, if it's a case where a mailing list was purchased. In these instances, the subjects must be notified of the categories of their personal data you will be collecting, how it will be obtained, and how you plan on using it.

Practice Data Mapping

Consider using data mapping to identify key information that is collected and document how it travels through your organization or between departments. This will help to recognize any potential risks to privacy before it becomes an issue.

Set Up Extra Protection for Children 

As many organizations and charities support children, GDPR brings in special protection for the rights of these young ones. The legislation stipulates that children under the age of 16 cannot give consent—a parent or guardian will have to act on their behalf. Your job is to verify that those persons providing consent on behalf of minors do have the right to do so. Any privacy statements will also need to be clearly stated—written in a language that children can understand.

Check Your Google Analytics Data

Check to see how much EU traffic you have coming in and verify if your marketing campaigns or teams are qualified to target EU users. Also, know what Google is up to. Find out if they themselves are following the stringent measures required for their Terms of Service.

Google is also making changes to data retention, providing the necessary tools controllers might need to restrict future data storage. They are keeping a close eye on accounts that collects personally identifiable information, such as name, social security information, address, and date of birth. It is important for companies to update their Google Analytics data retention settings, as well as audit their profiles for PII risks.

Check and Understand the Privacy Policies of Third Party Vendors

If needs be, ensure that your third-party applications or functionality are in compliance with the GDPR. If you find that your third-party partners aren't in compliance with the GDPR, then you aren't either. For those that aren't meeting the requirements or fail to comply, consider finding other avenues for that functionality. The long and short—work only with third-party vendors who are adhering to GDPR regulations.

Have Clear Options for Users to Delete or Revert Their Data

Searching for an unsubscribe button in an email footer is unacceptable with the GDPR. Ensure that users can easily find the necessary options to revert or delete their permissions for the use of their data.

Involve All Stakeholders

Prepare a task force that includes finance, marketing, IT, sales, and operations, along with any group within the organization that handles customer's PII or analyzes and collects data. These individuals will be better able to share information that is needed by those implementing procedural and technical changes.

Conduct a Risk Assessment

Understanding the risks around the data you process and store on EU citizens is of vital importance. The risk assessment is really to reveal all shadow IT that might be collecting and storing PII. The risk assessment must also put forth measures to alleviate those risks. Smaller point solutions and shadow IT denotes the greater risk of non-compliance.

On the word of IT thought leader, Matt Fisher, more than 39000 applications presently hold personal data. This effect poses a serious risk to an organization's GDPR compliance as most are only focused on the small percentage of apps that hold data visible or active for current operations. As IT teams get sidetrack from the applications in use within their organization, the lack of visibility could harm or threaten GDPR compliance.

Fisher further outlines that the biggest obstacle is getting started on the risk assessment. Companies must first get the full picture of their inventory applications and entire IT infrastructure. This, coupled with knowing which apps can process personal data, will significantly reduce the scope of the project along with the time spent on it.

Review, Update or Create Data Protection Plan

As is the norm for most companies, a data protection plan might already be in place, but they will need to revisit it to ensure that it complies with GDPR requirements.

What About Mobile?

A survey done by security executives at Lookout Inc. highlights that 64% of employees access organizational records including partner, customer, and employee PII, from their mobile devices. 81% of the respondents concurred that most employees get approval to install personal apps on their devices that are for work purposes, regardless of the device being their own or the company's. If those apps access and store personal data, do they comply with GDPR? That is a difficult area to control, especially if employees also use unauthorized apps.

Be Ready to Detect, Investigate, and Report Personal Data Breaches

Unauthorized disclosure of personal data, loss, unlawful or accidental destruction, alteration, or access to, is considered data breach. Having proper procedures in place to investigate, detect, and report data breaches, is acting in accordance with GDPR. The GDPR opens the way for reports of data breaches to the ICO or the affected individual in some cases. Demonstrating that you have the proper organizational measures and tools in place to protect against data breach, is an asset.

Incorporate Data Protection into New Projects and Services (Privacy by Design)

Making privacy an integral part of everything that you design—products, a process, or website—is a major step towards GDPR compliance. Do not assume that employing a third-party vendor to offload your data is way around this requirement—because it's still your responsibility to make sure they are compliant. Building a data protection plan for all new projects and services is a good thing, as GDPR views privacy by design a legal requirement.

To accomplish this, the data protection impact assessment should be carried out where sensitive groups of data will be managed on a large scale, new technology is employed, and where profiling may affect individuals. Clearly point out who will be undertaking impact assessments, how they will be recorded, and when they will be used.

The GDPR is being very fair about this. Requirements include transparency, end-to-end encryption, and the ability for users to identify themselves divulging non-essential sensitive information. For example, if you need someone to prove that that they are over 18, they should be able to do so without exposing other sensitive information such as credit card details.

Also of importance—at the point of capture, all collected data should be anonymized, so that the end result represents a long string of meaningless data.

Do You Carryout Fundraising Events?

Fundraising events are just like other usual business endeavors where personal information may be needed to fulfill a transaction. If you collect sensitive personal data to carry out fundraising activities, you need to get up to speed with the latest guidelines on data protection and fundraising. For more information on fundraising guidelines, visit the Fundraising Regulator website.

Remain Accountable

If asked, you must be able to prove that you have adopted privacy-centric business processes. This means that you will have a record of the processes and discussions you have undertaken to get to your final implementation. This is enough protection for yourself as it a way of reassuring customers that you have taken the necessary steps to ensure data protection measures within your company.

Along with this, the staff assigned to handle personal data must be adequately trained; ensuring that GDPR requirements are met for your internal data-protection policy.

Having more than 250 staff members will also attract additional requirements. You will need to retain descriptions of all organizational and technical security measures, written internal records of all data processing activities, and documentation of any safety measures applicable to data-transfer mechanisms. The more extensive and detailed your records are, the better, as a Supervisory Authority may request them to check your compliance.

Executing a Data Protection Impact Assessment (DPIA) will help you spot any weakness in your data protection measures, as well as carefully assemble your documentation. Conducting a DPIA whenever new technologies are employed to processes data that could put an individual's privacy at risk, is a recommendation by the Information Commissioner's Office.

The DPIA should include an outline of your processing operations and their purposes, risk assessments for individuals, the measures employed to minimalize risks, and the requisite of data processing and retention.

Be Careful When Using Algorithms

Most online decisions are now automated. That said, the GDPR requires that automated processing be excluded from handling decisions of a legal nature or similar unless it is absolutely necessary and is required by law. In such cases, the customer must have given their active consent.

Businesses selling products online need to be careful where this is concerned, but they aren't the only ones. All profiling activities fall under the GDPR's realm if used to analyze movements (such as social networking and mapping services), health, personal preferences, performance at work, and so forth.

To be more specific—whenever you intend on using algorithms to analyze the data of an individual—know that you are not allowed to use the collected data to make decisions with legal implications unless the individual specifically gave permission.

Audit Your Data

Now is a good time to start auditing your data processing and collection activities, and update them if necessary. Check to see whether any of your third-party providers are located outside of the European Union, as GDPR restricts the transfers of information outside of their protective barriers.
Moreover, remember that the UK will be an external nation once it completes its exit from the European Union. It is hoped that the transfer of personal data to British companies by EU member states will be permitted with an adequate level of protection by the European Commission. It will be bad news, of course, if this doesn't happen. The only option then will be to find a way to set up shop within the EU itself. To keep a close eye on the legal situation, bookmark the ICO dedicated GDPR pages.

Consider Hiring a Data Protection Officer (DPO) 

If you haven't started looking for a DPO, it is time to consider hiring an executive responsible for compliance with GDPR regulations. According to the rules of GDPR, the position doesn't have to be discrete, so a company may choose to appoint someone who already has a similar role within the organization. For example, if the organization processes large scales of sensitive information such as criminal or health records, there needs to be someone in charge of that area. 

Be sure that the chosen individual is capable of handling matters related to the protection of PII without conflict of interest. If you choose to hire an external DPO, the position need not be full-time. A Data Protection Officer is also allowed to work for multiple organizations, so a virtual DPO is an option you might want to consider. For more information about when to appoint a Data Protection Officer, visit the ICO website.

Be Prepared To Delete Your Data

In place of a "right to be forgotten,” the GDPR embodies a "right to erasure" that already applies within the EU. Where applicable, users can request that their information is removed from your database entirely.
It might be a case where a customer withdraws their consent for the further processing of their data. It can be for reasons that the data was processed or obtained unlawfully, or where the intended purpose for which it was initially collected no longer applies.
There are, however, legal grounds for declining such requests. These include archival purposes or public health, both of which must serve the public's interest. Personal records in defense of legal claims can also be kept, for performing tasks required by an official authority or to comply with legal retention obligations.
Ensure that your system can easily identify and delete individuals' data—as in most cases—you will have to comply with erasure requests. Additionally, if you have partnered with third-party vendors, the onus is on you to ensure that they comply with the GDPR's erasure request—unless they claim one of the valid defenses.



In the coming months, it is likely that you will hear of organizations that are highlighted for breaking the rules or penalized in some way or another. It is also a possibility that more top-ranking tools like Google’s webmaster suite will adjust as they become aware of GDPR requirements.
Be sure that you collaborate with your team (legal counsel, IT, and marketing department) to ensure that you are in full compliance—delivering the safest and most trusting experience to your users.


Garenne Bigby
Author: Garenne BigbyWebsite:
Founder of DYNO Mapper and Former Advisory Committee Representative at the W3C.

Create Interactive Visual Sitemaps

Discovery has never been easier.

Sign up today!