Decoding the General Data Protection Regulation (GDPR)

by | May 24, 2018 | international-business, Practice Areas, U.S. Private and Emerging Business

Key Aspects of the General Data Protection RegulationFinal

What is it?

On May 25th, 2018, a new law concerning privacy and data protection will come into effect in the European Union. The Guardian calls it the “biggest personal data shake-up since 1995.” The GDPR updates the 1995 European Union Data Protection Directive to apply to the advances in technology that many consumers rely on today. Overall, the legislation requires companies to adopt greater transparency when handling individual data. It also transfers much of the decision-making power from the companies to the consumers.

The Scope of the Law: Who is affected?

Although the GDPR is an act of European law, its consequences are global. Companies established in the EU must follow the GDPR, even if the actual data processing takes place elsewhere. Any firm storing or processing personal data of EU residents must comply with the GDPR. Multinational companies that handle data from European residents, therefore, must follow the GDPR wherever they are located. If your company offers goods or services to EU-based individuals, or if it monitors EU residents’ behavior, it falls under the scope of the GDPR. The new law simplifies the process to ensure that European data is protected to meet their standards, regardless of where or how far the data travels.

Data Protection Officers

If a company is under the scope of the GDPR, it may need to appoint a Data Protection Officer (DPO). The role of the DPO is to ensure that companies are operating in compliance with the GDPR. DPOs are experts on the legislation itself as well as the technological processes that must comply. Companies that handle 5,000 individual data sources or more within one year are obligated to hire a DPO. Firms affected by the law with 250 or more employees must appoint one as well.

Controlling vs. Processing

There are two types of firms that are impacted by GDPR: data controllers and data processors. Data controllers “determine the purposes and means of the processing of personal data” whereas data processors simply process the data on behalf of another entity. Examples of data processing include payroll administration, sending promotional emails, storing personal information in a database, and putting photos of individuals online. Data controllers are the firms who make the decisions to collect and process data. Under GDPR, data processors will be regulated in how they store the data, while data controllers will be regulated in how they are allowed to ask for the data.


Penalties for noncompliance will vary, depending on the severity of the breach. For the most severe noncompliance, fines can escalate to $24 million or 4% of annual turnover, whichever is higher. Fines will be allocated on a tiered system according to the severity of the infraction.


Clear and Easy to Understand Terms

Most consumers are uncertain of the level of personal information that companies may be collecting. Before submitting personal information, consumers often have to agree to a company’s “terms and conditions” regarding the consumer’s use of their service, and in return, the company’s use of their data. These terms are notoriously long and difficult for the average individual to understand. It has become a habit for individuals to simply scroll through the bulky text and select “accept.” GDPR changes this. Under this law, companies must request a consumer’s consent to process their data using “unambiguous” terms. This greater transparency levels out the playing field. It allows consumers to better control where their data is going and what it is being used for.

Additional Consumer Rights

The law gives consumers more certain “opt in” rights. Consumers must be given the clear ability to opt in to data collection, and it must be just as simple to opt out. Under the GDPR, consumers have a clear right to access their data from any firm who may be storing it. Consumers are also given the right to be forgotten; pending certain conditions, individuals may request that their data be erased. Data must also be portable. Consumers may request to have their data moved from one data controller to another.

Be Prepared

If you have any questions regarding the GDPR or think it may impact your business, contact us today at Gonzalo Law for a free consultation.

1. What are all these GDPR emails filling up your inbox? By Gavin Haynes. 5/16/2018. Accessed 5/16/2018.
2. GDPR FAQs. Accessed 5/16/2018.
3. GDPR Key Changes. Accessed 5/16/2018.
4. Rules on international transfers of personal data. Accessed 5/16/2018.
5. Data Controllers and Processors. Accessed 5/21/2018.
6. GDPR Compliance: What is a data protection officer and do you need one? By Erika Morphy. 2/13/2018. Accessed 5/23/2018.
7. What constitutes data processing? Accessed 5/21/2018.
8. Here are 8 things every business needs to do now to get GDPR ready, by Bernard Marr. 5/7/2018. Accessed 5/21/2018.