• United States





Jun 19, 20187 mins

Personal data has become a commodity to be collected, bought, sold and traded without user consent. GDPR aims to change that.

It seems like every day brings news of a new data breach, sending consumers scrambling to find out if their privacy has been compromised. The fallout from these breaches has become increasingly commonplace: Broken trust, finger pointing, ruined reputations and ad hoc legal consequences.

That is why the European Union drafted GDPR, which came into effect on May 25th of this year. This piece of legislation aims to codify consumer rights and company obligations when it comes to the collection and storage of personal data.

In this article, I’d like to touch on the pain points that businesses may feel, but also the opportunities that exist with respect to security and privacy. It’s a double-edged sword, so make sure you don’t catch the wrong end of it.

What is GDPR?

GDPR is, at its heart, a way to ensure individual privacy protection. It is founded on the idea that personal data, defined as any information that can identify a person in any way, is the sole property of that person. GDPR ensures companies cannot collect it without the user’s expressed permission, and that any data collected can only be used in ways the consumer consents to. To do this GDPR requires all companies to keep detailed records regarding the data they collect, how it is used, and what measures the company has taken to safeguard it. This game changing piece of legislation also imposes stiff fines for companies that don’t comply.

GDPR aims to empower consumers by giving them control over how their personal data is used. Since personal data is the property of the individual they are legally allowed to request that their data be erased under the right to be forgotten. This means that any individual can tell a company they wish to have their personal data deleted, and the company must comply with that request.

What are the potential negative impacts for non-compliant businesses?

GDPR is wide reaching. It applies not only to companies that are based within the European Union but also any company that wishes to do business in Europe or collects data on European citizens. This extraterritorial clause means that this piece of European legislation will impact companies across the globe, including in Canada and the United States.

As part of the legislation each individual member state has designated a data protection authority whose job is to enforce GDPR. The punishment for non-compliance is harsh.

Things get bad when they’re fine

Companies can be fined up to 4% of their annual global revenue or €20 million, whichever is higher if they:

  • Do not comply with GDPR standards
  • Fail any audits
  • Experience any data breaches

Companies can be fined up to 2% of annual global revenue or €10 million, whichever is higher if they:

  • Fail to produce the appropriate records.

Fines of this magnitude are hard to absorb for even the largest companies and could completely sink a small or medium sized organization.

If a company experiences a data breach they now have to report it to the data protection authority within 72 hours of discovering it. Depending on the severity of the breach companies might also be obligated to inform the individual customers affected.

The strict standards, and harsh fines for non-compliance, mean that it is integral for all companies that have customers or web traffic originating from the European Union to ensure they are GDPR compliant.

Non-compliance is not an option

Even if a company is willing to risk the substantial fines GDPR can impose non-compliance is still not an option. GDPR ensures individuals whose data has been compromised have the right to compensation from the offending organization. Material and non-material damages that result from GDPR non-compliance can be subject to mass claims on behalf of all affected individuals or, in some cases, not-for-profit organizations that represent those individuals.

This opens non-compliant organizations up to actions such as class action lawsuits, which are costly. Aside from the financial consequences the damage a company’s reputation would likely suffer could be catastrophic. All companies need their clients in order to remain solvent, so irreparable reputational damages could have devastating consequences.

How can businesses ensure compliance?

Meet your future data protection officer, whether you like them or not

The first step to ensuring you are GDPR compliant is to appoint a Data Protection Officer (DPO). This individual should have expert knowledge regarding laws and regulations that pertain to data privacy. The role of DPO does not have to be a full-time job, though larger organizations will likely need to dedicate someone exclusively to this role. The DPO also cannot be punished for doing their job, and to avoid any potential conflicts the DPO should not operate within the IT or Data departments.

As part of his or her job the DPO will have to regularly audit the company to ensure GDPR compliance and offer recommendations for addressing issues before they occur. It is also the job of the DPO to educate employees about compliance and its importance.

Keep detailed records

Companies should also ensure that they are keeping detailed records of all of their data processing activities, including the purpose of those activities. These records must be made public upon request. As mentioned earlier, failing to produce these records could result in a potentially crippling fine.

One of the best ways for a company to ensure compliance is to locate all the data they have collected on customers and track what it is being used for. This in turn will allow the company as a whole to be better informed about what data is being collected and why. The company can then decide how best to proceed under GDPR.

It’s not all bad: GDPR can be a win for businesses and consumers alike

Consumer privacy is precious again

GDPR exists to empower consumers and protect their personal data. By holding companies to stricter security standards and ensuring that consumers can make informed decisions about how their data is used GDPR protects individuals and gives them more control over their personal data.

GDPR ensures that customer data is no longer something to be collected, bought or traded without expressed user consent. In a digitally connected world where privacy is becoming increasingly elusive GDPR shields customer data from unwanted scrutiny.

Perhaps we’ll all eat a little less spam

GDPR also ensures that companies can only contact individuals with their explicit consent. This in turn will cut down on the amount of spam individuals receive, since customers will have to opt in to receiving emails as opposed to having to opt out to avoid them.

Customers will no longer have to hunt for the often elusive unsubscribe button in order to opt out of nuisance emails. Instead the onus will be on companies to ensure they are not bothering you, not on you to stop them from flooding your inbox.

Businesses already investing in security and privacy will feel less stress

Companies that already take their security, and their customer’s privacy, seriously should not find it difficult to ensure they are GDPR compliant. GDPR may be ground breaking, but it doesn’t reinvent the data protection wheel. Instead it builds on the good practices many companies already implement and codifies them to ensure everyone is on the same page.

Security-conscious organizations are already a step ahead of the competition and will find it less stressful and labor intensive to ensure compliance. As an added bonus, customers will remember which companies were able to ensure they were compliant quickly, a move that shows customers how much the company values them. This in turn could improve customer loyalty, something every company values.

Though some critics may feel GDPR is too heavy handed or broad reaching GDPR is actually a benefit to both companies and consumers. Consumers receive more control over their personal data and are better protected against breaches. Companies are held to a higher standard, increasing their security overall and helping them gain, and keep, the trust of their customers.

Privacy in the digital sphere has become limited as consumers feel watched wherever they go. Moving forward GDPR aims to change that by providing clear guidelines for companies, clear rights for individuals, and making the entire digital sphere safer for everyone.


Andrew Douthwaite is the Vice President of Managed Services at cybersecurity firm, VirtualArmour. In his role, Andrew has ultimate responsibility over the successful delivery of the company’s Managed Services offerings within its UK and U.S. operations. As part of the executive leadership team he also plays a vital role in formulating and implementing company strategy.

Mr. Douthwaite has over 15 years of experience in the Information Technology industry, including eight years with VirtualArmour in senior engineering roles. Before joining VirtualArmour, he held security-centric application positions within leading software and telecommunications providers. In 2002, Mr. Douthwaite obtained a BSc in Computer Science (Software Engineering 2:1), graduating with honors.

Outside of work, Andrew enjoys an active lifestyle as a junior soccer coach and fan and likes to blow off steam with early morning Crossfit sessions!

The opinions expressed in this blog are those of Andrew Douthwaite and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.