GDPR compliance in 4 steps

August 10, 2017 by

Privacy and data protection may not matter to many outside of Europe. This will change on 25 May 2018 when new EU privacy laws will coerce global businesses with links to Europe to comply with the General Data Protection Rules (GDPR).

These new rules will impact on any international organisation handling personal data of a person residing in the EU.

The extraterritorial scope of the GDPR means that international organisations and businesses need to review their internal data processing procedures. Else they risk hefty fines for non-compliance.

European data protection authorities will have the power to impose fines of up to EURO 20 million or 4% of annual worldwide turnover (whichever is higher) for any breach of the GDPR.

The GDPR can also result civil liability. Any person who has suffered damage as a result of a breach of the GDPR has the right to receive compensation from the data controller or the data processor.

Step 1: Who needs to comply?

First, this new data protection regime applies to everybody who is in the EU at the time the data is collected. All organisations collecting and processing personal data of a person that is in Europe at the time the data is collected must ensure GDPR compliance; irrespective of a business’s physical location.

gdpr compliance

GDPR compliance is relevant even to businesses without a physical presence in the EU.

All businesses with customers in the European union or that track the online behaviours of individuals who live in the EU must abide by the new rules.

Else they risk hefty fines for non-compliance.

The GDPR can also result civil liability. Any person who has suffered damage as a result of a breach of the GDPR has the right to receive compensation from the data controller or the data processor.

Step 2: What personal data is being collected and processed?

Second, identify information that may fall under the scope of the GDPR. A basic understanding of the meaning of “personal data” is needed.

Personal data is broadly defined in the GDPR.

Personal data is any information relating to a natural person who can be identified either directly or indirectly. Personal data may relate to a person’s private, professional, or public life. It can be anything from a name, a photo, an email address, employment details, interactions on social media, medical records, or even an IP address.

Personal data includes for instance:

  • Personal details such as the person’s name, address, email
  • Financial details such as how much the person earns, credit ratings
  • Medical details about a person’s mental or physical health
  • Details about a person’s ethnicity, political opinions, religious beliefs, or sexual life
  • Images or voice recordings of a person
  • Employment details
  • IP address of a person that visits a website
  • Criminal records or alleged offence
  • Biometric data

The GDPR does not apply to personal data that has been anonymised so that an individual can no longer be identified from the information itself.

A person may be indirectly identifiable if identification of a person is made possible through combining different pieces of information that, by themselves, would not reveal the identity of the person.

The GDPR does not apply to personal data that has been anonymised so that an individual can no longer be identified from the information itself. However, pseudonymised data that is retracable may be considered as personal data on individuals which are indirectly identifiable.

Step 3: How is personal data collected?

Third, how did your business collect the personal data? Did you collect the information from the individual themselves or a third party?

Data may be collected from many sources: A person may have provided it voluntarily for “free” services such as search engine services or social networks. Personal data may also be captured automatically through cookies, web analytics, and sensors.

The GDPR approaches consent more restrictively. Consent must be “freely given, specific, informed and unambiguous”. Silence, pre-ticked boxes, or inactivity is not a form of valid consent.

Consent must be specific to distinct purposes for handling personal data. Consent should cover all intended processing activities.

Particular conditions are imposed in the case of children online and for sensitive personal information.

Step 4: Why is personal data processed?

Fourth, businesses will need to think about the reasons they are collecting and processing personal data.

Reasons may be manifold such as processing a sales order, administration of staff, complying with laws and regulations, marketing activities, profiling etc.

Businesses need to be clear about the legal ground or grounds for which they process or hold personal data. The GDPR prohibits the processing of personal data unless there are legal grounds to do so. In other words just because a business can collect and process data does not mean it is also legally allowed to do so.

Legal grounds for collecting and processing of personal data include:

  • to perform a contract;
  • the individual concerned has given consent;
  • the data controller has a legitimate interest;
  • statutory obligation to collect and retain information (e.g. employers);
  • to perform the lawful function of a public authority; or
  • for the protection of vital interests of that person.

Personal data must be handled for specified and explicit purposes. During the life cycle of data, the personal data cannot be further processed in ways that are incompatible with those specific purposes.

For instance, personal data that has been collected to perform a sale of goods contract cannot later be used for marketing, unless the person has specifically agreed to receiving promotional offers.

The GDPR does not provide for an intra-group privilege. Instead each group subsidiary will be accountable for its own data protection standards. This also means that intra group data transfers must be justified by law.


GDPR compliance is the only way to the new extended liability and increased penalties. With this in mind, companies should be particularly careful when handling personal data of Europeans.

Businesses need to review their internal data policies and procedures that address privacy and data protection, including their IT policy, HR policy, outsourcing procedures, and any policy affecting data subjects in the European Union.

GDPR compliance is not a one-off task. It is an ongoing process. Relevant policies should therefore continuously be monitored, reviewed, and most importantly communicated to staff.

Why are privacy standards high in Europe?

In Europe, the protection of a persons in relation to the processing of personal data is a fundamental right.

Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

The European understanding of privacy is deeply rooted in human dignity and autonomy. It implies that each person can control and draw the line between their public and private sphere.

The basic idea is that people should be able to control personal data about them also called “informational self-determination”. This means that individuals have a right to determine when, how, and for what purpose personal information about them is disclosed.

Businesses and institutions need to review their privacy policies and information security procedures to ensure compliance with the new set of European data protection rules.

Related articles:

Big Data and Citizens of Glass

European data protection vs U.S. mass surveillance

Privacy in 2016