GDPR - What to Know

by Christoph Weber|Director of Technology Services

Christoph Weber GDPR
Director of Technical Services - Christoph Weber


On May 25, 2018, the General Data Protection Regulation (GDPR)—a set of rules implemented by the European Union (EU) to protect the data privacy of their citizens and harmonize the regulatory framework around data protection across the entire European Economic Area—came into effect. As a result, companies around the world have had to make major adjustments in the way they collect, store and use personal data. Any company that has clients residing in the EU, offer goods and services to EU residents, or collect any sort of personal data from an EU resident are subject to GDPR compliance. Data protection is a fundamental right in Europe, and the GDPR ensures that companies, whether or not they’re based in EU, respect the privacy of their EU clients.


The GDPR addresses three entities:

  • Data subject: Any identifiable person whose data is being collected.

  • Controller: The entity that determines how and where information is collected from data subjects, and where it flows from there.

  • Processor: The entity processing personal data on behalf of the controller.


Let’s say Company A uses Disqus for user comments on the blog of their website. Since Disqus is collecting the user’s data on behalf of Company A, the user interacting with the website is the data subject, Company A is the controller and Disqus is the processor.


What is personal data?

Put simply, personal data, also referred to as personally identifiable information (PII), is information that can be used to identify an individual. A name alone cannot be used to identify a person, but a name with an address or workplace can. In this context, a work email, may be considered personal data because it provides a person’s name and their employer (i.e. [email protected]).


Examples of data that can be used to identify someone include (but are not limited to):

  • Basic identity information such as name, address and ID numbers

  • Web data such as location, IP address, cookie data and RFID tags

  • Health and genetic data

  • Biometric data

  • Racial or ethnic data

  • Political opinions

  • Sexual orientation


EU subjects have the right to:

  • Be informed about the collection, use and retention period of their data (this is known as privacy information) at the time of collection.

  • Access to a copy of how the organization is collecting and using their information.

  • Rectification to any inaccurate or incomplete data.

  • Erasure (also known as the right to be forgotten) or the right to have personal data erased. Here’s a list of reasons for erasure.

  • Restriction or suppression, meaning their information can be stored, but not used.

  • Portability if the individual needs to obtain and reuse their personal data for other purposes.

  • Objection, or the ability to allow users to be presented with a clear agreement or disagreement regarding the retention of their data, with neither already favored.



  • Companies must comply with the above rights.

  • They must conduct a GDPR audit for personal data and adjust collection, storage and use methods accordingly.

  • In the event of a data breach, companies must notify the supervisory authority within 72 hours.

  • Small and medium-sized US companies transferring personal data from the EU and Switzerland must be certified for Privacy Shield. Alternatively, Standard Contractual Clauses or Binding Corporate Rules can be used to make cross-border data transfer legal - these instruments are better suited to large companies.

  • A comprehensive checklist can be found on the Information Commissioner’s Office website.


Penalties for non-compliance can result in heavy fines:

  • Up to 4% of global revenue or $22 million for major issues.

  • Up to 2% of global revenue or $11 million for lesser issues.

  • Audits and orders to cease any further operations with the individual’s data.

  • The clients affected can sue the respective company for damages and loses.

  • With such high penalties at stake, the GDPR ensures that companies take the proper precautions in safeguarding their clients’ personal data.


Here at Achieve, we pride ourselves on process, and best practice. Making sure we conduct a full risk assessment to meet GDPR compliance, is now part of this process. Our expert team have the experience and knowledge to maintain industry best standards. Standards that we uphold ourselves to from client to client, project to project.





Director of Technical Services - Christoph Weber

Related News & Events