GDPR: What It Is, Why It's Important to You, and How You Can Comply
Wherever your business operates, you may have to follow the GDPR or face massive fines. It’s an epic legal document but much of it boils down to some key principles. The best approach is to store and manage your data in a way that makes GDPR-compliance straightforward. Here’s what you need to know.
Enjoying This Article?
Receive great content weekly with the Xplenty Newsletter!
Table of Contents
- Key Definitions
- Who The GDPR Applies To
- What You Must Do To Comply With The GDPR
- Legal Basis
- Data Protection Officer
- International Data Transfers
- Data Security
- Privacy Notice
- How Xplenty Can Help You Comply With The GDPR
The GDPR is all about processing personal data. To understand the GDPR’s measures you need to understand the way it defines some key terms:
- “Processing” data means handling it in any way. This includes collecting the data, using it, deleting or altering it, or passing it on to somebody else.
- “Personal data” is any information that relates to an identified or identifiable individual. This can be a multi-step process. For example, you may have a database showing that John Doe is customer number 90210. You may have another database showing that customer number 90210 bought a lawnmower. Because you can identify John Doe, the fact that he bought a lawnmower, counts as personal data.
- The person the data is about is the “data subject.”
- The person or organization that decides what personal data to process and how is the “data controller.” They may do the processing themselves or instruct somebody else (a “data processor”) to do it.
Who the GDPR Applies To
The GDPR is a European Union regulation. That means it has legal force in every European Union country.
Although the GDPR is a European law, it can affect businesses around the world. That’s because it applies in any of three scenarios.
- The data subject is in a European Union country.
- The data controller is established in a European Union country. This could be a subsidiary or local office rather than the controller’s main base.
- The data processing takes place in a European Union country. This could include processing in a third-party data center.
The United Kingdom
Although the United Kingdom is no longer a European Union country, it has replicated the GDPR in its own national legislation. Unless and until the UK replaces or repeals this legislation, you must comply with the GDPR if you process data about somebody in the UK, have an establishment in the UK, or process data in the UK.
What You Must Do To Comply With The GDPR
The GDPR has many requirements for data controllers and data processors. The most important are:
- Only process personal data where you have a legal basis to do so
- Designate a data protection officer
- Protect data transferred outside the EU
- Secure data
- Create a privacy notice
The most fundamental principle of the GDPR is that it is only lawful to process personal data where one of six legal bases applies. The most appropriate basis for a business will usually be consent or legitimate interests.
This basis applies if the data subject has consented to the data processing. This consent must meet several criteria:
- It’s meaningful consent. In other words, the data subject had a genuine choice to consent and understood that choice.
- It’s active consent. The data subject must give a positive indication of consent. You can’t assume consent by default and rely on people opting out.
- It’s advance consent. You must get consent before processing the data, which includes collecting it in the first place.
- It’s specific consent. You must state the purpose for processing the data before getting the consent. You can then only process the data for the specified purpose. You’ll need fresh, specific consent to use the data for another purpose.
- It’s reversible consent. This means the data subject can change their mind later on and withdraw the consent.
Integrate Your Data Today!
Try Xplenty free for 14 days. No credit card required.
The legitimate interest basis has two main criteria:
- You need to process the data to achieve your business’s (reasonable) goals.
- The data subject’s privacy rights don’t outweigh your legitimate interests.
You may need to justify your decision to process personal data on the basis of legitimate interests. A good rule of thumb is that it’s only a suitable basis if:
- It’s reasonable to assume the data subject would expect you to process the data in that way; and
- You’ve taken reasonable steps to limit the effect on their privacy.
The other legal bases are where you process the data:
- To fulfill a contractual obligation
- To comply with a law
- To protect somebody’s vital interests (this usually applies to medical emergencies)
- To carry out a task to serve the public interest (this rarely applies to businesses)
Data Protection Officer
The GDPR says you must appoint a data protection officer in any of three scenarios:
- You carry out personal data processing on a large scale as part of your main business activity. This doesn’t mean you have to be a data processing business. For example, this criterion would cover an insurance company that processes personal data when vetting applications, setting premiums and handling claims.
- You handle data about criminal records and activity.
- You handle sensitive personal data. The GDPR defines this as: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
If any of these criteria apply, you must designate somebody to be your data protection officer. It doesn’t matter whether this person is:
- An employee or an outside consultant
- Working solely as a data protection officer or combining it with other duties
- Data protection officer for your business only or for multiple businesses
What does matter is that the person must have the time, authority, and resources to carry out their duties without any conflict of interest. You should appoint them based on their experience and knowledge of data protection in general and the GDPR in particular.
The main duties of the data protection officer are:
- Tell you and your staff what to do to comply with the GDPR and how to do it
- Monitor compliance with the GDPR
- Cooperate with data regulators and act as their point of contact
- Carry out an impact assessment to judge and mitigate risks before carrying out some forms of data processing such as that involving sensitive data
International Data Transfers
The GDPR says you cannot transfer personal data outside of the European Union unless you have made sure it will continue to be protected to the same levels.
You don’t need to do anything if you are sending the data to a country for which the European Union has issued an “adequacy decision” to say its national privacy laws offer adequate protection. At the time of writing these are:
- Faroe Islands
- Isle of Man
- New Zealand
(The EU has approved South Korea in principle but the legal process is not yet complete.)
To send data to any other non-EU country, you’ll need an agreement with the recipient that includes a binding obligation to follow GDPR standards.
Under the GDPR you must take appropriate measures to protect data against unauthorized access, alteration, or deletion. You should take into account the risks of a breach, for example by using greater protection for sensitive personal data. Measures suggested in the GDPR include encrypting data, using backups so you can restore data if needed, and regularly testing your security.
If you do suffer a breach, you must normally tell a supervisory authority (the data regulator in the relevant country) as soon as possible. If you don’t do so within 72 hours you must explain the delay. You must also tell the affected data subjects in most cases.
The information must include:
- Your identity and contact details and those of your data protection officer
- The purpose for which you process the data
- The legal basis for processing the data
- Who, if anyone, you share the data with
- Whether you’ll transfer the data outside the EU and, if so, how you have made sure it remains protected
When you collect data, you also need to say:
- How long you’ll keep it (or how you’ll decide how long)
- The fact the data subject has the right to access the personal data you store about them, to ask for it to be corrected or deleted (if no longer relevant), and to get a copy in a “portable” form to take to another business
- The fact the data subject has the right to withdraw consent
- The fact the data subject has the right to complain to a supervisory authority
- Whether the data subject is legally or contractually required to provide the data (and what happens if they do not)
- Whether you carry out automated decision-making (such as profiling) using the data
Supervisory authorities have the power to punish data controllers for breaching the GDPR. This could involve a temporary or permanent ban on processing data; an order to delete or correct data; or a ban on transferring data outside of the EU.
The punishment can also be a financial penalty. The amount will depend on what measures you took to mitigate the effects or likelihood of a breach and whether you’ve committed breaches in the past.
The maximum penalty for breaches that are largely administrative is €10 million or 2% of your previous year’s global revenue, whichever is more.
The maximum penalty for more fundamental breaches is €20 million or 4% of your previous year’s global revenue, whichever is more.
How Xplenty Can Help You Comply With The GDPR
Enjoying This Article?
Receive great content weekly with the Xplenty Newsletter!
The sheer scale of the GDPR can feel overwhelming at first but it’s not overly complicated to comply if you take the time to plan and organize your response. Some actions you must take are spelled out in detail by the GDPR such as:
- Producing privacy notices
- Keeping records of the data you collect
- Designating a data protection officer
However, the GDPR is as much about culture and mindset as it is about following checklists. The GDPR says data controllers need to adopt the principles of privacy by default and privacy by design.
- Privacy by default means creating systems, procedures, and software that limit data collection to reduce the risk of inadvertent breaches. It could mean only collecting necessary data, building in an automatic review or deletion process, pseudonymizing data, and limiting access.
- Privacy by design means creating systems, procedures, and software that have data protection “baked in” from the outset. The idea is to reduce the reliance on staff making decisions or taking action to protect privacy, instead of making it automatic and part of standard operating procedure.
Xplenty’s ETL platform lets you collect, store, and process data in a fully GDPR-compliant fashion that offers privacy by design and default. As well as providing the necessary security and authentication features, it organizes data in a way that makes it easy to carry out the GDPR’s mandate.
For example, it tags all data with the relevant lawful basis such as evidence of consent or your designation of a legitimate interest. It also makes it possible to respond to customer requests to access, modify, or delete data, letting you respond quickly and be confident you’ve fully met the request.
Seeing is believing, so the best way to understand how Xplenty can help you comply with the GDPR is a 14-day demonstration period. Visit to sign up for a free trial today.