The General Data Protection Regulation is a European law that governs the rules on how organizations are allowed to process personal data. It imposes numerous obligations to ensure we handle personal information securely and respect people’s privacy. 

Although the main reason for the GDPR was to update and harmonize the fragmented national privacy laws and create one comprehensive regulation for the whole EU, it’s been achieved only partially. 

This is mainly because several GDPR articles allow countries to introduce stricter provisions in their national data protection acts, which organizations also must observe.

If your company is based in the EU, then almost certainly yes. The GDPR applies to organizations that process personal data – this means that if you have employees, or send customers invoices you process personal information and need to handle it according to the GDPR rules.

But even if you have no offices in Europe, you may be obliged to meet the GDPR standards in order to do business in a compliant way. This will depend on several factors that need to be assessed case by case. 

The general rule is that the GDPR will apply if it’s apparent that you sell to, or ‘target’ customers in the EU, e.g.:

• with marketing and ad campaigns, 
• referring to EU countries or customers on websites and ads
• offering payment in euro
• using EU languages for marketing and promotion

I will be happy to assist you in determining whether the GDPR applies to your case in a free consultation.

Your specific GDPR obligations depend on many factors, most importantly on:

• what personal information you process,
• whose personal information you process, and 
•  for which purposes do you process personal information

The more sensitive data you handle, the stricter the rules for its protection. 

This makes sense because e.g., a hospital will need to implement stricter data security measures than a local jewelry shop. 

However, it’s not smart to assume that less sensitive data doesn’t need any protection at all.  Compromise of personal information may pose serious legal, financial, and reputational risks to your organization.

In practice, the GDPR obligations typically include:

• Displaying detailed privacy notices
• Ensuring relevant contracts with providers, vendors, and partners
• Adding appropriate wording in employment contracts
• Choosing the right legal permission (basis) for data processing 
• Obtaining valid consent declarations
• Regularly updating a processing record 
•  Assessing risks of data processing and choosing effective security measures to mitigate them
• Handling data breaches accordingly to their consequences
• Ensuring all business processes comply with GDPR principles
• Defining correct processes for enforcing the data protection rights of individuals
• In certain cases also appointing a Data Protection Officer and/or GDPR Representative 

Furthermore, it’s not only required to comply with the GDPR but also to demonstrate your organization’s compliance. The most common way to do it is by having relevant company policies in place. 

World's first data protection law
Germany is one of the first countries with the strictest data protection law, long before the EU General Data Protection Regulation (GDPR).

17 enforcement authorities

Unlike the other European countries with one central supervisory authority, Germany has as many as 17 data protection regulators (16 for each federal state + 1 Federal Data Protection & Information Commissioner). 

Resources & high fines
With the biggest data protection budget in the EU, as well as human resources, the German authorities actively enforce the data protection provisions – with average fines of 50M euros.

#Data Protection Officers

Germany has stricter rules on the designation of Data Protection Officers that typically conduct strict due diligence. As a result, many companies based in Germany are legally obliged to appoint a DPO and 49% of all the European DPOs are in fact in Germany. 

Complex regulations

European data protection regulations are extensive (the GDPR itself has 173 Recitals and 99 Articles), impose numerous obligations, and can be difficult to interpret and understand as they are often written in broad terms. This makes it challenging to correctly translate them into concrete business operations.

Abstract risk-based approach

The GDPR requires assessing and managing the risks associated with each processing of personal data. This can be difficult, as we must consider various factors, make subjective judgments, and keep up with changes in technology that may involve significant investments.

Changing interpretations

As the GDPR is still a relatively new regulation, interpretations, and enforcement change over time, making it difficult to keep up and maintain compliance.

Large scope

The GDPR applies to all organizations that process the personal data of EU residents. It’s a complex task to ensure adherence to correct procedures, especially for organizations with international operations and extensive data processing activities.

These are also the reasons why many organizations choose to work with data protection consultants to ensure they are compliant and thus, minimize their legal, financial, and reputational risks.

The best starting point is to audit each department in your organization and understand what data is used and for which purposes. This will be the cornerstone for determining specific duties and a suitable compliance strategy for your organization.

For organizations that lack the necessary expertise in-house, it is typically worth it to outsource this task to a suitable professional as it will save time, costs, and stress in the long run. I will be happy to assist you. 

Checklist: 5 Steps Employers Must Take To Secure Remote Working (and Why)

What Every Health App Needs to Know About the GDPR

GDPR vs Swiss DPA: Data Breach Obligations for Companies 

 GDPR vs Swiss DPA: Privacy Information Obligations 

GDPR vs Swiss DPA: Data Protection Officer