What does the new General Data Protection Regulation mean for you?

In May 2016 the European Parliament approved the so called “General Data Protection Regulation” (GDPR) that will lead to a reality in which citizens have the same data protection rights across the EU, putting an end to the puzzle of data laws currently followed

The GDPR will help people regain control over their individual data, but it will cause some compliance complications for companies who rely on customer data inputs to successfully run their sales and marketing activities.

The GDPR will become law on May 25th 2018, meaning that these next two years will be crucial for companies to get aligned to all the clauses of the regulation - without exceptions.

While it seems that the core rules of the Data Protection Directive (the law governing use of EU individuals data for the last twenty years) will remain quite the same, companies will need to adhere to new guidelines in the following key areas:

  1. Lawfulness, Fairness and Transparency
  2. Purpose Limitation
  3. Data Minimization
  4. Accuracy
  5. Storage Limitation
  6. Integrity and Confidentiality
  7. Accountability

What do the general data protection regulation changes mean for you?

Below is a list of the main changes that will interest European companies or other companies doing business in the EU:



 How it affects you

Territorial Reach

One of the changes states that the regulation will affect both the businesses that are based in the European Union and those that are based abroad, whose systems process personal data of European Citizens. These foreign companies will need to appoint a representative in the EU who will be responsible for the liabilities and breaches of the GDPR.

  • If you process EU citizens data outside the EU, you must be compliant.


The processing of personal data of children (Under 16 years old) will only be valid when authorized by a parent/legal guardian. In addition, in the case of children, there will be a stronger “Right to be forgotten”.

  • You will need to capture the date of birth of your clientele.
  • For children under the age of 16, you will need to obtain parental authorization.


The GDPR will increase the requirements for consent; users must be explicitly asked to provide their consent to the collection and eventual exportation (Outside the EU) of their individual details. Users must also have the right to withdraw their consent at any time.

  • You will need to arrange a visible area on your website that explains how the user data will be used, processed and exported.

Data Subjects’ Rights

The introduction of the regulation will allow people to have access to the personal information companies own at any time. They will have the chance to have their details corrected in the case of errors. As for children, adults will also have the “Right to be forgotten” meaning that they will have the right to ask a company to delete all of the information it holds about themselves.

  • Data must be stored and maintained in a central location, which includes full auditable data regarding where and when data were collected.
  • Create a process for enabling people to request their data statement and update or delete records.
  • When data records are changed, you must be able to provide an audit trial indicating when changes were made and by whom.

Data Protection Officer

Organizations will need to appoint a Data Protection Officer (either internal or external). This figure will be involved in all of the relevant data protection issues.

Companies that need a DPO include:

  • Public Authorities;
  • Firms that engage with systematic monitoring;
  • Firms that engage in scale processing of sensitive personal information.


In the eventuality of data breaches, under the GDPR, companies will need to notify authorities (PDA) within 72 hours, as well as to inform the person whose personal data has been breached.

  • Security investments will be increasingly critical.
  • You will need to create an early warning system for data breaches.
  • Companies need to create a process for rapid “outreach” programs for data breach protocol.

Data Transfers

In order for a business to transfer personal data outside the EU the GDPR applies the same rules as the Data Protection Directive, which mainly prohibits the transfer of information. Under the GDPR, companies that are sharing their information with other entities have the duty to inform them of eventual errors in the personal data so that these can be corrected.

  • You will need data syndication and distribution policies.
  • You will need to carefully think through your partnerships around data and inform your data controllers.
  • You will need to have a system which enables granular trading of the dataflows, ownership and a focal contact person for managing data updates.

What will result from failure to comply to the General Data Protection Regulation?

Companies and their decision makers should start moving to ensure compliance to the new General Data Protection Regulation sooner rather than later. It is estimated that firms who fail to conform to all the clauses by 2018 will be punished with extremely high fines of around 20 million euros (or about 4% of their global turnover).

We are helping companies understand how to prepare for these changes and minimize the impact on their business. If you want to know more about what General Data Protection Regulation means for you and how it may impact your organization, contact us by filling out the form below!



At Techedge, our mission is to help organizations become more agile by exploiting the value of IT throughout every stage of their business transformation.