The General Data Protection Regulation (GDPR) has positioned itself as one of the strictest laws for the privacy of consumer data, and it’s still making waves, with several big companies accused of misusing personal data.
In June 2021, Luxembourg’s data-protection commission, the Commission Nationale pour la Protection des Données (CNPD), levied a fine proposal of over $425 million against Amazon for its collection and usage practices for personal data.
The case has the potential to surpass any other GDPR case to date, but with a growing global economy and drive toward more transparent data usage, it likely won’t be the last major case of consumer data privacy violations.
See below to learn about how GDPR came to exist, how it works, and what you can do to become GDPR compliant and evade hefty fines and violations.
The European Union (EU) passed the European Data Protection Directive in 1995, but as the internet, e-commerce, and digital marketing rose to prominence, it determined that a more stringent regulation needed to develop to protect the privacy and autonomy of consumer data. The discussions for editing the 1995 directive began in 2011, GDPR passed European Parliament in 2016, and all covered organizations were expected to be compliant by May 25, 2018.
The main idea behind GDPR is that individuals, not companies, own their personal data and have the right to know how it’s being used, dictate how it can be used, and remove it from circulation. Businesses are required to provide transparent information to consumers about the personal data they collect and how it’s used. They’re also required to keep this information safe and easily accessible if a consumer requests their data to be edited or removed.
The main players in GDPR can be described as subjects, controllers, and processors:
Read Next: Privacy in the Digital World: Architecting Solutions
The official GDPR regulation consists of 88 pages of wide-ranging rules, scenarios, compliance requirements, and enforcement procedures. Some of GDPR’s main data protection rules are below.
All organizations that process personal data are obligated to comply with these seven protection and accountability principles:
Data controllers and processors are allowed to process data in several different scenarios, but as a general rule, entities should get explicit consent from a data subject before they do anything with their personal data. The scenarios in which data processing is allowed include the following:
One of the core principles of GDPR is making sure that consumers maintain the right to know, access, change, and ultimately own anything that happens to their personal data. The eight main rights of the consumer in GDPR are listed below:
GDPR compliance is heavily focused on the seven principles of data protection, but several other requirements provide more detail about what entities must do and examples of how they can effectively comply with GDPR.
Much like HIPAA and other data privacy and security regulations, GDPR requires data controllers and processors to establish appropriate technical measures for data security. Some examples of appropriate technical measures include requiring staff to use multi-factor authentication (MFA), adding end-to-end encryption security measures across a network, and installing software like anti-malware and firewalls.
Beyond the technical security safeguards, GDPR also requires organizations to use appropriate organizational measures for data security. Some ways that an entity can maintain organizational security include determining if it needs a data protection officer (DPO), adding a data privacy policy in the employee handbook and other collateral, and requiring staff training on GDPR requirements.
According to Ray Pathak, VP of data privacy at Exterro, GDPR training for employees is one of the most crucial ways to meet appropriate organizational measures:
“The most powerful way is training and awareness,” Pathak said. “It is one thing to create policies and procedures that lay out what employees are to do in their everyday job, and another to make it relevant to them, so they can actually understand and apply it.”
“The wrong way to do it is having employees sign off on a very technical policy document or for them to attest they read the policy, which too many organizations do.”
“The right way is to have role-based training: HR, sales, product, marketing, corporate. Synthesize the requirements into their everyday situation and train to that.”
GDPR requires affected organizations to demonstrate their accountability to the law on an ongoing basis, which many organizations get wrong, according to Pathak:
“One key element organizations fall short on is the accountability section,” Pathak said. “It is one thing to comply with the law, but it is quite another to be able to demonstrate compliance on an ongoing basis.”
“Demonstrating compliance means documenting processes, creating and storing evidence of compliance, and also producing ongoing attestation of this compliance. Showing a point-of-time compliance in 2018 when GDPR went live is not enough. You have to show ongoing compliance, which is where businesses fall short.”
“Many companies treated GDPR as a project, checked all the boxes to comply and then ended the project. GDPR is not a project. It is an ongoing process that can continually evolve over time.”
This GDPR concept states that all company software, whether in existence or in development, have to comply with GDPR standards and take into consideration how data will be used. Especially when a company is in the process of developing a new tool that will access personal information, it must take a look at what the tool will be able to access by design and default and if that level of access is absolutely necessary for functionality. If not, change its default levels of access to adhere to minimum necessary rules in GDPR.
Read Next: Data Governance Best Practices
GDPR is enforced both across the European Union and in each individual EU country. The European Data Protection Board is the overall governing body for GDPR regulation across the EU, but much more happens at the member state level.
Each EU member state adheres to GDPR’s basic rules, but they are able to adjust and add to those regulations as they see fit. Each member state enforces its specific approach to GDPR through a supervising authority, or a public authority that monitors and addresses instances of non-compliance for personal data from that member state.
GDPR penalties can amount to severe fines, not to mention the lost trust and reputation that organizations face. The two main tiers of financial penalties for GDPR violations either max out at 20 million euros or 4% of global revenue, defaulting to whichever amount is higher. Beyond these specific fines, data subjects are also allowed to seek compensation for any damages that the violation causes them.
Even if certain companies believe they are not digitally working with the consumer data of EU residents, there are several reasons to comply with GDPR or at least become familiar with its contents.
First of all, the California Consumer Privacy Act (CCPA) passed into law in 2018 after GDPR, and it’s likely that consumer-driven rights for personal data will expand to other states and countries in the future. It’s also possible that a company is directly or indirectly working with an EU resident’s personal data without even realizing it, meaning that it is liable for privacy violations. Overall, compliance is good for a company’s relationship with customers, as strong privacy and security are tools for marketing its high-quality products or services.
Perhaps most importantly, regulations like GDPR force a company to take a second look at its security infrastructure — which could ultimately save it from costly security breaches in the future.
Read Next: The Pros and Cons of Edge Computing
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.
