Behind the acronym of GDPR lies a regulation that has become essential in the age of all-digitality. The GDPR is the legal framework surrounding the sensitive issue of protecting the personal data of European citizens.

Today there is an ever-increasing need to establish a legal framework capable of clarifying and harmonizing the use of European citizens’ personal data and giving them the means to dispose of their digital identity – and this need gave rise to the General Data Protection Regulation (GDPR).

What is the GDPR?

GDPR stands for “General Data Protection Regulation” – It’s the reference text for protecting personal data at the level of the European Union.

This set of rules replaces a previous text dating back to 1995, which had some drawbacks – notably because it left too much room for interpretation, was not very restrictive, and the European Union has since changed its face to 28 member countries.

The new regulation, consisting of 99 articles, and published in the European Union Official Journal on 4 May 2016, but this time gives a stricter framework and a date for a concrete application. All organizations (public or private) based in the European Union or located outside the EU but managing the personal data of European residents will have to comply with the GDPR by 25 May 2018.

Who is affected by the GDPR?

Any organization based in an EU country will have to apply the provisions of the GDPR: companies and trade unions, associations, administrations, and local authorities. Including those based outside the EU’s borders that collect, store, and use data specific to residents of a member country. These organizations will have to protect all personal data in their possession. Beyond information about prospects and customers, this also includes data collected about the organization itself, its employees, customers and suppliers, partners…

The GDPR is broad in scope, since all data are concerned, even if the information collected does not allow direct identification of the source. All data that transits on physical media (computers, mobile devices, servers) or through electronic exchanges (mailing, tracing of Internet users) will have to be protected under the new European regulations.

Key provisions of the GDPR

The GDPR establishes a harmonized legal framework for all EU Member States.

  • Explicit consent: Organizations must ensure that users give their explicit consent before collecting their personal data.
  • The right to erasure, better known as the “right to forget:” Every EU citizen has the right to request the erasure of all or part of his or her personal data by the data controller on several grounds (e.g. in case of unlawful processing).
  • Data portability: Every person has the right to retrieve his or her personal data from the body that collected them, in a structured and commonly used format, in order to transmit them to any other data controller of his or her choice (the same person may also request that his or her data be transmitted directly from one body to another when technically feasible).
  • Notification of leaks: In case of hacking, the controller must notify the national data protection authority and the affected users.
  • The obligation for public bodies (and private companies with more than 250 employees) to appoint a Data Protection Officer (DPO).
  • “Privacy by design:“ Data protection requirements must be taken into account by organizations at the design stage of their products, services, and systems. The purpose of this provision is to protect users’ data in such a way that it cannot be disclosed to third parties, nor allow third parties to know about users’ privacy.

What are the consequences of the GDPR for businesses?

Compliance with the GDPR is a complex subject, the implementation of which will require time and significant changes in companies. However, from 25 May 2018, companies will have to prove that they comply with the provisions of the GDPR – and in particular, the significant changes in traceability and mapping of personal data processing that result from the new data protection rules. Beyond these two provisions, all aspects of data security must be taken into account by companies with a view to compliance. This means that priority projects such as:

  • Mapping personal data within the company
  • Inventory and creation of a data catalog with personal data processing
  • Appointing a Data Protection Officer (for companies with more than 250 employees)
  • Managing a cross-functional project to deploy solutions and best practices in terms of data security and data management
  • Evolution of product, service, and system design methods following the principle of “Privacy by design”

Failure to comply could result in financial penalties of up to 4% of annual worldwide revenues (or up to 20 million euros!) This is a reason to take the bull by the horns and start today with the mechanics of adapting the company to the new requirements of the GDPR.


Thhe GDPR represents a significant step forward in the protection of personal data within the European Union, reflecting the urgent need to address the challenges of the digital age. By establishing a robust and harmonized legal framework, the GDPR ensures that organizations handling the personal data of EU citizens adhere to stringent standards of transparency, consent, and security.

Compliance with these regulations not only safeguards individuals’ privacy rights but also fosters trust and accountability among businesses. As companies adapt to these new requirements, the emphasis on data protection by design and the appointment of Data Protection Officers will become pivotal in maintaining compliance and avoiding severe financial penalties.

Ultimately, the GDPR underscores the importance of responsible data management in an increasingly interconnected world, encouraging organizations to prioritize and respect the privacy of their users.

Are you interested in learning even more about using your data as an asset? Book a demo today to get started on your organization’s journey to complete data lifecycle management with DataGalaxy!