What is GDPR?

GDPR is EU's new framework for data protection and GDPR stands for General Data Protection Regulation. The new law is replacing an outdated data protection directive from 1995.

The legislation is sincere effort towards bringing consistency with data privacy laws across Europe. The aim is to give consumers control of their personal data as it is collected by companies.

The GDPR also introduces penalties for organizations that violate the rules as well as remedies for those that suffer data breaches.


The GDPR will apply in all EU member states from 25 May 2018. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.

Specific criteria for companies required to comply are:

  • A Business in EU.
  • No presence in the EU Block, but it processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.


  • Consent – under GDPR, consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
  • Data Privacy – It is an organisationwide responsibility with accountability and the individual’s privacy at the centre of sweeping changes in data regulations. Whether you are upgrading existing systems, or specifying new systems, privacy should be built in by design. Your permission statements and Privacy Policies need to be specific and relevant to your organisation.
  • Data Security – The organisation is obliged to put in place effective technical and organisational security measures in order to protect personal data from unauthorised usage, loss, damage, alteration, damage. Make sure your technical security is up to date. Be proactive and protect the data you hold, encrypt it and always keep up to date with your security solutions.
  • Data Control – Under the aim of giving people more control over their information, GDPR ensures people can ask to access their data at “reasonable intervals”, with controllers having a month to comply with these requests. Both Data controllers and Data processors must make clear how they collect people’s information, what purposes they use it for, and the ways in which they process the data. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.