What GDPR Really Means

Europe’s data protection regulations are about to change in a massive way (like MASSIVE), but what does this mean for your brand or business?

what gdpr really means for brands

You’ve probably done your fair share of searching about GDPR, but all you’re likely to find are Q&As, FAQs and round-ups which provide no answers and bring up more questions!

So, we’ve forced the wordy regulations though our cutting-edge anti-jargon filter (thanks, Adam!) and put together a guide of what the regulations say and what they mean, to help you prepare for the impending implications of the legislation.


The GDPR regulations were passed into law on 24th May 2016. he law applies to all businesses & organisations from 25th May 2018.

You’re not in trouble yet, but you will be if you’re not up to speed on GDPR by 25th May 2018. Best act now!


The extended jurisdiction of the GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.

If you’re collecting data from people within the European Union, you have to follow the rules. Even if you’re based outside of the EU.


Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

Don’t breach the legislation because it’ll cost your company a fortune.


Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

Companies will no longer be able to use long illegible… sounds like they should practise what they preach. In short, a double opt-in should do the trick. A double opt-in basically proves the person you are emailing has agreed to be emailed. For example, someone fills out their details your website and then you email that person to confirm the details are accurate – voilà!


Breach notifications will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours.

If you suffer a data breach, you’ve got 3 days to fess up to the data protection authority and everyone affected. A penalty of up to 2% of your annual worldwide revenue or €10 million (again, whichever is higher) if you don’t – ouch!


Part of the expanded rights of data subjects is the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.

If you’ve collected someone’s data, they can request a free-of-charge electronic copy of it from you, and information on what you’re using it for.


The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

If someone wants to be forgotten, you’ve got to say “bye bye” to their data. Your business and data processing pals will have to say “sayonara” to the data, too.


Data portability gives the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.

It’s like a break-up, but they can take EVERYTHING, move it in with their new partner and live happily ever after.


Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Don’t be dumb and design a data-y thing that doesn’t meet the requirements of the legislation. You can’t just add an extension like you can with a house in The Sims.
If you need more information, you can find out more on the GDPR website, www.eugdpr.org.

start a conversation

Contact us