Documentation index

Guide ›

What is the GDPR and how will it affect your business

GDPR: The term has been going around for some time now in the business space and more recently with an increased sense of urgency.

But, what is it really? And more importantly, why should you care?

What exactly is the GDPR

The acronym GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how user data should be collected, used, protected or interacted with in general. The intent here is to bolster and centralize data protection within the EU, putting personal data control back into the hands of all people whose personal data fall within its scope.

The GDPR is the biggest change to data protection in the region in 20 years and replaces the Data Protection Directive of 1995. The regulation was adopted in April 2016, and following a two-year transitionary period, it will be fully enforceable by May 25th, 2018 (meaning that you’re are expected to be GDPR compliant by that date!).

Does GDPR apply to you?

The short answer is most likely, yes. The GDPR applies to all government agencies, companies and organizations (including non-profits) and individuals that are based in EU; or access the data of people in the EU in anyway; or offer goods and/or services to people in the EU (even if the offer is for free).

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether you’re located in the EU or not.

As a matter of fact, a recent PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.

What exactly does “Personal Data” comprise of?

Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. This applies even to data that has been pseudonymized or encrypted as long as the encryption/ anonymization is reversible.
In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymised data.

Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, political opinions, and sexual orientation data.

Examples of non-personal data include company registration numbers, generic company email addresses such as, and anonymized data.

Are there penalties for non-compliance?

Yes. The legal ramifications for non-compliancy include fines, sanctions (inclusive of audits) and potential litigation.

  • The fines are up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
  • Sanctions include official reprimands (for first-time violations) and periodic data protection audits (which can lead to the potential seizure of valuable data in cases where similar data was obtained using non-compliant methods).
  • Under the GDPR, users have the right to compensation for any damages resulting from an organization’s non-compliance, hereby leaving violators open to potential legal action.

So it’s pretty important to be ready.

Core requirements of the regulation.

Special definitions used below:

*The term ‘user’ here means an individual whose personal data is processed by a controller or processor.
 *The term ‘data controller‘ means any person or legal entity involved in determining the purpose and ways of processing the personal data. 
*The term ‘data processor‘ means any person or legal entity involved in processing personal data on behalf of the controller.
(For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.)

Lawful basis for processing data (Article 6)
Under the GDPR data can only be processed if there’s at least one lawful reason for doing so.
The Lawful bases are:

  • The user has given consent for one or more specific purposes.
  • The data processing is necessary for a contract in which the user is a participant or necessary in order to take steps (requested by the user) prior to entering the contract.
  • The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
  • The processing is necessary for protecting the vital interests of the user or of another person.
  • The processing is necessary for doing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
  • The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

Consent (Articles 7&8):
Consent obtained from users must be explicit and verifiable (opt-in). In getting consent for data use, you may not use overly complicated or indecipherable terms/ wording —this includes legalese and unnecessary jargon. This means that privacy notices must be laid out legibly (see ours here) using understandable language and clauses so that users are clear on what they’re consenting to. Consent for children under 13 must be given by a legal guardian using verification measures (e.g, control questions) and in general, it must be as easy for users to withdraw consent as it is for them to give it.
Because consent is such an important issue under the GDPR, it is mandatory that you keep detailed records of consent. The records should contain details of when and how consent was obtained and exactly what the user was told at the time.

User Rights:
Under the GDPR users have specific rights that must be honored. These include:

  • The right to be informed (Articles 13&14): In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/ app.
  • The right of access (Article 15): Users have the right to access to their personal data and information about how their personal data is being processed.
  • The right to rectification (Article 16): Users have the right to have their personal data rectified if it is inaccurate or incomplete.
  • The right to erasure (Article 17): When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
  • The right to restrict processing (Article 18): Users have the right to restrict the processing of their personal data in specific cases.
  • The right to data portability (Article 20): Users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
  • The right to object (Article 21): Under the GDPR, users have the right to object to certain activities in relation to their personal data.
  • Rights related to automated decision making and profiling (Article 22): Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.

Privacy by design and default (Article 25):
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.

Maintain records of processing activities (Article 30).
In several specific cases, the GDPR may require that up-to-date records of the data processing activities being carried out are kept and maintained. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.

Breach Notification (Articles 33&34):
If there is a data breach, the data processor will have to notify the controller immediately after becoming aware. The data controller must then notify the Supervisory Authority within 72 hours of becoming aware of the breach. Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was anonymized (for example via encryption).

Data Protection Impact Assessment (Article 35):
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization.
Generally speaking, the DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users (this is particularly applicable when introducing new processing technology). However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.

Appointment of Data Protection Officers (Article 37):
In public authorities (except courts/judicial authorities), organizations that systematically process personal data on a large-scale and in cases where special categories of data are being processed, a professional with expert knowledge of data protection law and practices must be appointed as Data Protection Officer (DPO). This officer should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.

Cross-border data transfers (Articles 44-50):
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). If transferring data outside of these conditions, informed consent must be received from the user —in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country.

What this means for businesses

As with most new regulations, the GDPR has it’s pros and cons from a business point of view. Generally speaking, the new regulations will mean more restrictions on the commercial use of data and more initial spending of becoming compliant. However, in the long term, the regulation is intended to encourage innovation, reduce the cost of doing business in the EU, mitigate risks and associated potential costs, safeguard individual data security rights and encourage consumer trust.

Next Steps

In terms of compliance, some of the first logical steps are to:

  • Make sure that your privacy policy is up to regulation. You can click here for information on what your privacy policy should contain or you can simply generate one here.
  • Review your current data processing systems and ensure that they are up to regulatory specifications.
  • Review your data processors’ GDPR readiness (data processors can include your cloud service provider, email marketing service providers, analytics companies etc.). The ICO’s controller/processor Contracts and liabilities Guide is a good place to start.

Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to reserve your spot NOW (as our webinars often fill up quickly).

You can also read our GDPR overview here and the full GDPR legal text here (available in several languages).


iubenda helps you with the generation of your privacy policy and a fully fledged cookie management system (Cookie Solution)

Take me to the privacy policy generator

Take me to the Cookie solution

Still have questions?

Visit our support forum Email us