GDPR: Keeping Your Data Secure since 1995

But some of the greatest changes since the beginning have just been made…

What is GDPR?

GDPR, or General Data Protections Regulation, is a European framework for data protection laws. The purpose of the regulation is to enforce personal data privacy for all individuals within the European Union. It also addresses the exportation of personal data outside the EU, meaning individuals who are outside of the EU but conduct business with merchants or businesses within the EU are also protected. For example, if you owned an all-natural supplement line, and your manufacturer was located in Paris, your data would be protected by GDPR although you do not reside within the EU.

The Right to Secure Data

GDPR completely reshapes the way businesses and organizations handle data, but this change is for the better. By placing stricter guidelines on the way business transaction data is collected and processed, the regulation advances the rights of individuals and gives them more control over their information. Good news for business owners, right? The new GDPR regulations were implemented in May 2018, but that wasn’t the first time that Europe was required to implement its framework.

In fact…

This new set of laws replaces regulations that were first administered in 1995.  But these changes didn’t happen over night. Following a two-year post adoption grace period, the GDPR was fully enforced throughout the European Union in May 2018, according to the official GDPR website. Prior to its enforcement, the Council of the European Union held many meetings, delegating and implementing Acts and making final provisions.

GDPR Timeline

  • October 24, 1995

    Data Protection Directive

  • January 25, 2012

    Initial Proposal Released

  • March 12, 2014

    European Parliament Approves First Reading

  • December 15, 2015

    Parliament and Council Agree

  • April 16, 2016

    Adopted by the EU

Greatest Security Change in 20 Years

For individuals and business owners alike, many of the 2018 GDPR changes are life changing.

In fact, Forbes called it “the greatest change to European data security in 20 years.”

Some of the changes include increased territorial scope, higher penalties and strengthened consent rules, according to the GDPR website, where you can also find a extensive list of changes.

That means…

Fined Penalties

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

Territory Extension

Extended jurisdiction of the GDPR as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

Strengthened Consent

The conditions for consent have been strengthened, and companies are no longer able to use long illegible terms and conditions full of legalese.

Are U.S. Businesses Affected by GDPR?

In short, YES!

Any US company that has a web presence and markets their products over the web.

Well, that doesn’t quite narrow it down.

The regulation applies if the data controller, or organization that collects data from EU residents, or processor, an organization that processes data on behalf of a data controller, such as a cloud service provider, or the person, or data subject, is based in the EU.

In other words, those who must comply with GDPR in the United States include individuals outside of the EU that work with organizations within the EU, according to Forbes.

Rules for Protection

If your business is required to be compliant, there’s a few rules you need to know.

  • Controllers of personal data must put appropriate technical and organizational measures into place in order to implement the data protection principles.

That means that individuals and business owners must create a process that specifically exists to handle the care and protection of their personal data, such as using pseudonyms or data anonymization.

  • Individuals must setup highly secured privacy settings by default. That way, the data is not available publicly and can only be accessed with explicit, informed consent.
  • No personal data can be processed unless it’s done under a lawful basis specified in the regulation.

And this regulation is so strict that even after the data controller grants permission to the processor to access the data, the processor must declare the purpose of the collection, how long it will be retained and if it’s being shared with third parties outside of the EEA, or European Economic Area. 


In some cases, personal data can be processed without the data subject’s permission. According to Article 6, there has to be at least one legal basis to process data without consent. The lawful purposes are:

  1. If the data subject has given consent to the processing of his or her personal data;
  2. To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
  3. To comply with a data controller’s legal obligations;
  4. To protect the vital interests of a data subject or another individual;
  5. To perform a task in the public interest or in official authority;
  6. For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).