GDPR Compliance: Everything You Need to Know

The EU General Data Protection Regulation (GDPR) is being touted as “the most important change in data privacy regulation in 20 years”, and with good reason. The new law is set to reshape the internet by dramatically redefining the way that we look at how data is gathered, stored and shared.

GDPR was approved by the EU Parliament back on 14th April 2016 and is set to come into effect on Friday 25th May 2018. As of that date, any businesses that are non-compliant will be liable to fines. Heavy fines. We’re talking millions upon millions of dollars.

The good news is that the aim of the legislation isn’t to cause problems for business owners. It’s meant to bring privacy laws across the whole of Europe into line under a single piece of legislation, replacing the now-outdated Data Protection Directive 95/46/EC. It’s intended to further protect EU citizens from data and privacy breaches and to bring the old legislation — which was drafted in 1995 — up to date with the modern world.

Is it time to panic?

It depends. Is your company compliant? According to Gartner’s research, by the end of 2018 over half of all companies affected by GDPR will not be in full compliance. And there’s no surprise. After all, companies are often so busy that they’re barely keeping up with their existing workloads, and something as seemingly abstract as GDPR compliance can take a lower priority — until it’s too late to do anything about it.

The good news is that it’s not too late, and there may well be a leniency period in which some companies are slapped on the wrist as long as they can prove that they’re already taking action. But make no mistake — simply ignoring the incoming regulation is unacceptable. It’s risky at best and a corporate suicide at worst.

One of the biggest issues is lack of understanding. Marketers are leaving it to IT teams and IT teams are leaving it to marketers, meanwhile CMOs, CIOs and CEOs are letting it slip because they’re under the illusion that the regulations don’t apply to them or their business. There’s an incorrect assumption that the legislation only covers businesses with a physical presence in Europe.

Will US businesses escape GDPR?

The short answer to this question is “no”. In fact, one of the biggest impacts that the GDPR will have is that it has an extended jurisdiction. That means that it doesn’t just apply to companies in the European Union. It applies to any company that handles the personal data of EU citizens, whether or not the company itself is in the EU.

This means that even if you’re based in the US and all of the data is being stored and processed stateside, you’ll still need to obey the legislation. It specifically applies when activities relate to “offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.”

On top of that, US-based businesses that process data of EU citizens will also be required to appoint a representative in the EU. And when it comes to collecting data, companies are required to refrain from legalese and to make any requests for consent to be as clear and as easy to understand as possible. And arguably most importantly of all, it should be as easy for people to revoke their consent as it is for them to give it.

Cookies and the GDPR

Almost every commercial website uses cookies, whether for processing analytical data or keeping people logged into their shopping carts. What many people don’t realise, though, is that cookies are counted as personal data under the GDPR rules. After all, a cookie is tied to a specific user and so it falls under the banner of “personal data”.

The biggest change when it comes to cookies is the fact that website owners will no longer be able to force users to accept cookies in exchange for information. In other words, a website needs to display information to people whether or not a user accepts the cookie agreement. And as before, the agreement needs to be free of legalese and it must be as easy for people to remove consent for cookies as it is for them to grant it. Simply expecting people to clear their cookies within their browser isn’t good enough.

Remember that the GDPR is an extensive piece of legislation with plenty of nuances and so it’s a good idea to familiarise yourself with the official documentation. There are additional clauses in place that come into play in specific circumstances, such as if there’s a data breach. You’ll also need to be prepared for requests from consumers who want to know whether you’re holding data on them and, if so, where it’s being stored and what it’s being used for. Companies will be required to provide an electronic copy of this data free of charge to anyone who requests it.

What else is covered? What are the penalties? Are you ready for the change? Find out now:

Originally published at

This story is published in The Startup, Medium’s largest entrepreneurship publication followed by 318,120+ people.

Subscribe to receive our top stories here.