What do you need to know about the GDPR


If you aren’t familiar with the General Data Protection Regulation (GDPR) yet, it’s about time you get familiar. The GDPR was approved in the European Union in April 2016 and will go live on May 25, 2018. It’s the most ambitious set of privacy laws to ever be passed.

In the age of big data, the GDPR is here to protect individuals and their right to determine how a company uses its data. In 2018 alone, we’ve already read about major data breaches involving companies like Equifax and Facebook. Therefore, the GDPR works to protect an individual’s privacy and to hold major companies accountable for the data they are collecting about their users.

The Basics of the GDPR

From now on, companies will now require the consent of individual users when it comes to data collection. For instance, if users don’t give their consent, a company will not be able to collect your data and if they abuse these laws the fines are substantial. Most importantly. the legislation will directly affect “controllers” and “processors” of data.

What is a Controller?

A controller is any entity that states how and why data is collected and processed. For example, Amazon, Facebook, and Google are all controllers because they collect and control how the data is accessed, analyzed, and processed.

What is a Processor?

On the other hand, a processor is any entity that handles the processing of the data. In most cases, this will be IT firms that store the data and directly interact with it in some way.

Certainly, with the rise of the Internet of Things, personalization, and other big data initiatives, the GDPR was a much-needed piece of legislation to motivate companies to develop secure systems for collecting, storing, and transferring user data. Above all, under the GDPR individuals will now have more power to control how a company collects and handle their data.

Here are just a few of the things you can do:

  • A company will require a user’s consent before they can collect their data.
  • Individuals can call on companies to delete their existing data as well, ushering in a new era of digital privacy.
  • Consent for users under the age of 16 can only be granted by their legal guardians.
  • Users will have the right to know how and where their data is being used.

Penalties for Violating the GDPR

However, while you may be thinking that it seems easy for companies to ignore these requests, the EU is already one step ahead. To clarify, companies that violate these types of requests will face major fines. Failure to comply with GDPR laws can result in fines between 2-4% of a company’s annual revenue, or $20 million Euros, the total is based on whichever number is larger. In fact, for larger technology companies, a fine this large is crippling and has prompted a large-scale response to the legislation.

The Authoritative and Advisory Bodies in the GDPR

There are three main bodies that serve in an authoritative role under the GDPR. These bodies include:

  • The European Commission: This body represents the general interests of the EU and consists of 28 commissioners and is responsible for enforcing EU laws.
  • The European Parliament: Like other parliaments, members of the European Parliament are responsible for passing news laws.
  • The Council of Ministers of the European Union: The different ministers are responsible for adopting legislation and dealing with budgets.
  • The Advisory Bodies in the GDPR: There are two advisory bodies in the European Union. These bodies include:
  • Article 29 Data Protection Working Party: This body advises the Commission on data protection matters and data privacy issues and works to promote the GDPR across the EU.
  • European Data Protection Supervisor: The EDPS is the main advisory body in the EU. They oversee the processing of personal data, GDPR compliance, and general regulations. They are directly responsible for handling complaints, monitoring new technologies, and general data privacy.

Does the GDPR Affect Non-EU Companies?

Any company that interacts with EU citizens must become GDPR-compliant. That is to say, most large American companies have already developed their own systems to make their companies GDPR-compliant. Most importantly, when Facebook CEO Mark Zuckerberg testified in front of the House committee, he suggested that Facebook was going to automatically extend the new rights granted under the GDPR to all Facebook users.

The Creation of the Data Protection Officer

Since the initial announcement, companies have been scrambling to create systems to help them follow the new set of rules. The data protection officer (DPO) is a direct result of the GDPR. Large companies have appointed DPOs in order to develop internal systems that will keep them GDPR-compliant.

Here are just a few tasks a DPO is responsible for:

  • Developing systems and policies to keep the company aligned.
  • Training staff on acceptable data processing practices.
  • Performing audits and addressing internal issues on a proactive basis.
  • Communicating with the GDPR Supervisory Authorities.
  • Maintaining detailed records about a company’s data collection and processing. These reports need to be readily available and made public if requested.
  • Interacting with the public to keep them informed about how their company uses data, their ability to erase it, and anything else related to the data they are collecting and using.

The GDPR Isn’t Optional

Thus, making your company complaint may seem challenging, it’s something all companies need to do before the legislation goes live. Whether your company is big or small, you need to take the right steps to become compliant. Above all, Recommend is a GDPR-compliant personalization platform that falls under the processor label in the guidelines. We provide automated, on-site recommendations to your users as they browse online stores in order to boost conversions and increase user engagement.