GDPR is a brand new EU regulation that comes into full effect on May 25th, of this year. As a replacement for the original Data Protection Directive, established in 1995, it’s an innovative piece of legislation in a number of ways. At its core, it aims to help protect and empower all EU citizens to better control their personal data.

With solid common standards for data protection, people can be sure they are in control of their personal information. And they can enjoy all the services and opportunities of a Digital Single Market – Andrus Ansip, VP for the Digital Single Market

As well as aiding citizens, it will also help enable the police and the criminal justice sector to protect witnesses, suspects and victims. However perhaps the most significant change will be the way the General Data Protection Regulation will undoubtedly reshape the way organisations across the region approach data privacy.

As one of the most significant data privacy regulation changes in 20 years, it’s important all businesses are in the loop when it comes to GDPR – here’s what you need to know:

GDPR: Key Changes

GDPR is a dramatic shakeup and a clear response to the data-driven world we all live. As citizens with online personal data, we all need and expect extra protection online, however, the EU is clear about it benefitting both newly empowered online citizens as well as businesses who deal with personal data online. They want it to be seen as a collective and transparent step forward for all:

Citizens and businesses will profit from clear rules that are fit for the digital age […] that give strong protection and at the same time create opportunities and encourage innovation – Věra Jourová, Commissioner for Justice, Consumers and Gender Equality

Huge improvements have been made to major regulatory policies, including, the intricacies of consent online and how we draw digital geographical parameters. Let’s see what’s changed:

Geographical Scope

General Data Protection Regulation | iWeb

This has everything to do with redefining our understanding of geography in digital terms. There’s nowhere to hide!

  • Under the General Data Protection Regulation, data processing rules now include those processing personal data in the EU, regardless of whether the processing actually takes place in the EU or not.


Penalties for non-compliance will be implemented on a case-by-case basis.

There are two tiers of administrative fines that can be levied:

  • Up to €10 million, or 2% annual global turnover – whichever is higher.
  • Up to €20 million, or 4% annual global turnover – whichever is higher

The maximum fine will be incurred if serious infringements have occurred, e.g not having proper customer consent to process data. Here’s further information on all the GDPR penalties and how businesses can incur them.


We all hate technical language, right? Well under GDPR we’re saying goodbye to jargon all together!

Aimed at trying to strengthen the conditions for consent, companies will no longer be able to use long illegible terms and conditions full of technical language.

  • Under GDPR personal consent must be clear and distinguishable, using clear and concise language (Follow this detailed guide, with templates on how to write GDPR-ready T’s&C’s).
  • The request for consent must be given in an intelligible and easily accessible form and crucially, consent must be as easy to withdraw as it is to give it.

*What’s ironic about the GDPR directive itself is that it’s heavily steeped in confusing jargon of its own. Here’s a handy jargon-buster to help you.

General Data Protection Regulation

Cyber Attacks

There really is nothing worse than a cyber-attack that comes out of nowhere. However, the only thing that might trump this is when a personal data breach is concealed from us by businesses and corporations. Under GDPR this is changing:

  • Notifications about online invasions involving the public will become mandatory in all member states
  • This must be done within 72 hours of first having become aware of the breach.

Right to Access

  • This signals a radical change in the empowerment of online users. The public will be able to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
  • This personal information shall them be provided free of charge, in an electronic format. Follow this helpful guide to help understand what type of information should be included.

Right To Be Forgotten

  • Sound a bit strange, doesn’t it? Well, data erasure under the General Data Protection Regulation is actually just the public’s right to request the erasure of his/her personal data.
  • However, this may implicate businesses in a number of ways. For example, it may make it more difficult for companies to target their products or services at EU citizens. Here’s  wider information on the real-term business impact data erasure may have.

Privacy By Design

Privacy by Design has been a long-standing concept but is only now becoming part of the legal requirements of the new General Data Protection Regulation.

  • Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than as a later addition. An example of this is end-to-end encryption. This is a system of communication messaging where none other than the sender or recipient can see the messages, e.g  Apple iMessage and Whatsapp.

*A short video summarising General Data Protection Regulation:

Want to read the whole thing for yourself? Here’s access to the full-version of GDPR.