GDPR (General data Protection Regulation)

This takes effect as of 25th May 2018 

  • This will impose strict fines throughout the EU for breach in data security
  • Under GDPR the fine for failing to follow the new law could be as high as 4% of a company’s global revenue or €20 million 
  • The law will also offer more power to citizens, in regards to what companies can do with their private data 

While the new law will be beneficial on all sides, the GDPR has ostensibly been designed to protect consumers. These regulations are designed to protect customer data in the new digital environment, where companies such as Facebook and Google share the personal data of account holders in exchange for site access and features. GDPR seeks to return more control of the situation back to the user. This could make EU users less wary of sharing information on such platforms GDPR should establish clear rules under which businesses can operate regards to the handling of customer data. With these new rules the boundaries should be easier to understand on both the corporate and consumer end, which should be easier for businesses to earn and hold the trust of customers.

GDPR – Who does it Effect

The two parties in the realms of Data Security are “The Controllers” and “The Processors” of digital information. The Controllers are the entities that determine the methods and reasons for the processing of user’s data; i.e. any an organisation – be it a company, a charity or a government entity. The Processors are the IT firms that actually, handle the technical function through which the data con be processed. GDPR will affect all controllers and processors that handle the personal data of EU residents, regardless of whether the controlling or processing parties are based in Europe or abroad. As such the new law affects all online businesses and platforms that accept customers or members. The balancing act between controllers and processors works as follows: 

  • Controllers must ensure that their processors function in accordance with the new regulations 
  • Processors must make sure that their activities abide to the new law and maintain applicable records

Processors holds full and even partial responsibility for a data breach, and will be penalized much more strictly under this regulation than the pre-existing Data Protection Act. The actual source of a breach won’t even matter under the new law, as the processor will bear most of the blame.

Data Processing

From the 25th May 2018 controllers will be required to be completely transparent with the processing of EU user data for specific purposes. Once the purpose is completed and the controlling / processing entities have no lawful need for the data given by the user it must be deleted. Personal data therefore should no longer be stored idly and indefinitely on servers that could be hacked at any time.


For personal data of EU residents to be processed under GDPR, at least one of the following must apply 

  • Compliance with a legal contract 
  • The protection of an interest deemed essential to the life of the individual 
  • The processing of data within the interest of the public 
  • The prevention of fraud

Note! If a person has consented that their personal data can be used this will be deemed “lawful”


For controllers to get agreement of an individual, consent must be obtained through direct, confirmed action. The pre-existing standard of justification, which allows controllers to use data withonly a passive acceptance will not suffice under GDPR.