Everything You Need to Know About GDPR Compliance

One time, I went to a seminar on GDPR Compliance.

…I fell asleep.

But not today folks. Today, we are going to make GDPR Compliance as fun as possible. Because at the end of the day, it’s actually super important. And as marketers, we need to be in the know about privacy laws and regulations because A) we don’t want to infringe on people’s rights, and B) we don’t want to get in trouble. Here’s what you need to know:


GDPR stands for General Data Protection Regulation. Basically, GDPR is Europe’s new data privacy and security laws, designed to give people more power over their personal information. The details are all laid out in OVER ONE HUNDRED PAGES’ WORTH of text. Yes, you read that right. Hundreds of pages of rules. Here’s the entire thing, for those of you who have unlimited hours of free time + masochistic tendencies. But for the rest of us, here are the basics:

GDPR affects us all

Just because you’re not located in Europe, doesn’t mean you’re exempt. The GDPR applies to U.S. businesses under at least one of the following two circumstances:

  1. The company offers goods or services to EU/EEA residents.
  2. The company monitors the behavior of users inside the EU/EEA.

So even if you think you are absolutely certain that none of this applies to you… well, you should still be in compliance. If not, you could be hit with heavy fines and penalties, which we will go into later.

Data Protection Principles

If you process data in any way, shape, or form, you must do so according to seven protection and accountability principles outlined in Article 5.1-2 of the GDPR:

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the person who’s data you are storing.
  2. Purpose limitation — You should only process data that has been given to you for an explicit purpose, and for that purpose alone (as the express knowledge of the person giving it).
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The person in possession of the data is responsible for being able to demonstrate GDPR compliance with all of these principles.

Some ways to secure your data

  • Requiring employees to use two-factor authentication on accounts where personal data is stored
  • Using cloud storage that employs end-to-end encryption
  • Staff training on data security
  • Incorporating a data privacy policy to your employee handbook
  • Limit permissions to access personal data to only employees who need it.

In the event of a data breach, you have just 72 hours to report it to the data subjects. If you fail to do so, you could face major penalties.

Know when you’re allowed to process data

Do not under any circumstances use or process someone’s data unless you can justify it with one of the following:

  1. The data subject has given you explicit and specific consent to process the data (for example, via online form or opt-in).
  2. Processing is necessary to execute a contract in which the data subject is involved.
  3. You are under legal obligation to process the data.
  4. You must process the data in order to save someone’s life.
  5. You are performing a task that is in the public interest or for some official function.
  6. You have some other legitimate interest to process someone’s personal data. Though keep in mind, this may sound flexible, but the fundamental rights and freedoms of the data subject will always override your company’s interests. Tread carefully.

What happens if you are not in compliance with the GDPR?

The fines for violating the GDPR are extremely steep. There are two tiers of penalties, which max out at €20 million (22,245,300 USD), or 4% of global revenue (whichever is higher). Wronged data subjects also have the right to seek compensation for damages caused by the misuse of their data and personal information. So yeah, this stuff is kinda important. 

Still with us?

Hopefully you didn’t fall asleep like me. I sure hope we made things somewhat easy to understand (without boring the heck out of you). If your company or organization is affected by the GDPR, and/or if you are a fairly large company that processes a hefty quantity of data, we highly recommend that you consult an attorney or GDPR specialist to ensure you are compliant.