On May 25, 2018 the General Data Protection Regulation (GDPR) enters into force

This is the most important reform in EU data protection law in 20 years that will enter into force. These changes are not only relevant to organizations that are established in the EU, but also to non-EU organizations, which means that all organizations must determine whether the GDPR applies to them.

Please use this as general information, not as legal advice. It is provided for informational purposes only and should not determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance.

The GDPR is a data protection law which establishes a modified framework of legal rights and duties designed to protect personal data. The GDPR aims to give individuals control of their personal data and to simplify the regulatory. The GDPR applies to every organization that gather certain information about individuals (for example: customers, suppliers, business contractors, employees, and other people that the organization has a relationship with). The best way for organizations to ensure that they are in compliance with the law is to have a Data Protection Policy available on their website and also available on request, and to make sure that each individual they are collecting data from understands how their personal data is collected, handled, stored and used.

Does the GDPR apply to your organization?

The GDPR is applicable to organizations of all sizes and all industries established in the EU and outside the EU.

The GDPR introduces 2 principles with regards to territory applicability:

Establishment – If the processing of personal data takes place in the context of activities of an establishment of an organization in the EU, regardless of whether the processing takes place in the EU or not.

Marketplace – If personal data of individuals who are in the EU is processed by an organization not established in the EU and the processing concerns: the offering of goods and services to individuals in the EU or monitoring the behavior of individuals that takes place in the EU. Also, if the organization offers goods and services to individuals in the EU online. The marketplace rule requires the processing of personal data of individuals who are in the EU. The applicability of GDPR in this respect is tied to the physical presence of an individual in the EU, irrespective of individual’s nationality, residence or intention to stay within the EU.

Why the US organizations need to be aware of the GDPR?

The GDPR rules apply if goods and services offered to individuals in the EU. The offering of goods and services does not need to be connected to payment. It is also included if you offer goods and services offered for free. According to the GDPR, the organization must express its intention to deal with EU users (For example: offering local currency payment, shipment to the EU, or local telephone numbers). The GDPR also applies if the organization monitors the behavior of users in the EU. Behavior monitoring refers to techniques for tracking individuals’ internet activities, such as profiting and targeting in the context of advertising (via cookies) or location monitoring in mobile apps.

The US and EU have a fundamentally different approach to privacy law. Generally, the EU views privacy as a fundamental human right and legislate access to their citizen’s data with that philosophy. In contrast, the US does not legislate with the understanding that privacy is a fundamental human right. The word “privacy” does not even appear in the US Constitution. Generally, it has been argued that the US does not view privacy rights in the same context as the EU, due in part to its history. The US tends to create privacy laws when a need for them arises.

The organizations in the USA have to understand what personal information they collect and use from EU citizens, whether they are employees, contractors or customers and make sure they are in compliance with the GDPR.

What is “Personal Data”?

The GDPR regulates the collection, storage, use, and sharing of personal data. Personal data is defined very broadly under the GDPR. “Personal data” includes any data that relates to an identified or identifiable individual. This can include data such as online identifiers (IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, health and financial information and much more.

What about the “Consent”?

It's simple, will work with any blog design or colors, and separates the important information from the less important stuff.

If you are relying on Consent as the basis for lawful processing, you must ensure that the Consent is:

  • Separate from the other terms and conditions
  • Voluntary and freely given
  • Specific and clearly presented in plain language
  • Provided in an intelligible and easily accessible form
  • It must be as easy to withdraw Consent as it is to give it at any time
  • Active, and does not rely on silence, inactivity or pre-ticked boxes

The GDPR specifically bans pre-ticked opt-in boxes. You will need to give unambiguous consent about data usage, including explicit cookie tracking consent. You will need to get a double opt-in for all marketing communications too. Also, you will need to give the right to individuals to access, correct their personal data or to have it deleted.

What are the organization’s responsibilities under the GDRR?

The GDPR includes detailed rules about what the organization must tell individuals about its processing of personal data. This includes, among other things, information about why the personal data is being processed, how long the data will be stored, with whom the personal data will be shared, and whether the personal data will be transferred outside the EU. This information must be presented in a way that is clear and easily accessible.


Children under the age of 13 can never, themselves, give consent to the processing of their personal data in relation to online services. For children between the ages of 13 and 15 (inclusive), the general rule is that if an organization seeks consent to process their personal data, then parental consent must be obtained, unless the relevant individual Member State legislates to reduce the age threshold – although the threshold can never drop below 13 years of age. Children aged 16 or older may give consent for the processing of their personal data themselves.

What are the principles under the GDPR?

Lawfulness and transparency - personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

Purpose limitation - personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

Accuracy - personal data must be accurate and, where necessary, kept up to date;

Storage limitation - personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality - personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

What if your organization does not comply with the GDPR?

An organization in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

Find out how to manage your data right

If you want to talk more about staying compliant with GDPR then click the button below and sign up for a free consultation.