GDPR Regulators Explained

prepared for the GDPR. In the resulting confusion, few know who’s responsible for what. We’re here to help.

European Data Protection Board

The EDPB will be an entirely new body, however it will be based on the Article 29 Working Party which currently issues recommendations for the GDPR. Its function has been mostly advisory so far and it does not deal directly with clients. It serves as an organisation which keeps the European Commission up to date with the current state of affairs.

However, the EDPB is tasked with yet another responsibility: to coordinate the action of the supervisory authorities. It can help solve disputes and issue opinions of several issues that SAs cannot agree amongst themselves.

Supervisory Authorities

Supervisory authorities are organisations established in all EU member states. They must operate independently from the government, and their task is very comprehensive. They are, in a nutshell, responsible for a smooth application of the GDPR in practice. They are here to protect the rights of EU individuals when it comes to data privacy and safety.

All supervisory authorities must work together in order to ensure a smooth and consistent application of the rules in the entire European Union.

They facilitate contact between the individuals who have queries or complaints on one side and companies on the other. They are the contact point for companies who will solve all their data privacy and safety issues with them. This is the touted one-stop shop mechanism that will help reduce overall costs and administrative load imposed both on companies and on the individuals.

Even if a company is based in several EU countries, the company only deals with a single supervisory authority, which then becomes the lead authority. The lead authority is the only one that can produce legal decisions against the company.

European Commission

At least, there is the European Commission. It will be part of the European Data Protection Board. It is there to act as an observer and a watchdog of common interests of European citizens. It can issue opinions regarding consistency mechanisms, but should not get tangled up in individual cases.

The Commission and the EDPB can demand that a supervisory authority suspend a measure they deem incorrectly applied, but only in cases where the opinions of the authority and the Board differ in opinions and if these decisions would affect the functioning of the common EU market.


Overall, we believe the one-stop-shop is an excellent mechanism that will leave companies with more time and resources to do their thing and leave the administration to the supervisory authorities. They will do a lot of work behind the scenes, so that companies don’t have to do anything. This will drastically ease communication and foster the overall competitiveness of EU companies. At the same time, the rights of the individual citizens will be well-protected. We can’t wait to see it work in practice!


Preparation for GDPR Compliance

Even if you found out the GDPR will apply to you from 25 May 2018, when it enters into force, you don’t have to worry. It’s all a matter of simple preparation – the better you do before it rolls out, the better your chances of having nothing to worry about. Now, nobody said this will be trivially easy to do, but it’s not that big of a deal either.

From our experience, we found out that small companies are having the hardest time complying with the basics of the GDPR. The reasons are very much practical – they simply don’t have time, money now know-how to do better, no matter how hard they try. But things don’t have to be as bad as they are now.

Analyse and Research

The first part of getting things right for the GDPR is laying down the basics. Study the key provisions of the GDPR and try to think about the changes you will have to make. Consult your local laws, too, as they may sometimes be applicable as well.

Then, make note of practices you have identified as possibly not in line with the GDPR. These are the activities you will have to closely watch as you advance in your compliance efforts.

Map and Secure

Mapping your data is also a very important requirement of the GDPR. You have to be able to account for your data at all times. That means knowing where the personal data is stored exactly, how many copies there are, what your plans with the data are, and finally, when you will delete the data.

If you meet the above checklist, you can be reasonably sure the data won’t get used maliciously. Plus, it will be easy to answer personal data requests if you know where you store your data.

Additionally, security is also paramount. Make sure to encrypt and anonymise your data for maximum protection. Consider using access controls and make strong passwords mandatory.

Impact Assessments

A Data Protection Impact Assessment (DPIA) is an essential tool to ensure your data processing is legal. If you are doing any processing of sensitive data, you must perform a DPIA.

DPIAs help you determine both the risks and positive consequences of your envisioned processing actions, thus helping you decide whether carrying out the processing is a good idea. Data Protection Officers can help you conduct a DPIA.

Consent – Revised

Processing of personal data will now require a more informed level of consent from individuals. You will have to explicitly inform individuals of your plans to use their personal data. The notices must be served at the time of obtaining data, and they must be written in simple, understandable language. Consent (ticking the box or similar) must be explicit – no pre-ticked boxes are allowed anymore!


Keep all records of your data processing. This isn’t a requirement if your company has less than 250 employees, but good records are the key towards proving compliance with the GDPR to the authorities.

Data Portability and the GDPR: User Rights

Data portability is one of the core rights that data subjects have under the GDPR. It is very important for the optimal protection of user rights, but also crucial for the overall economic development.

Data Portability: Defined

Data Portability is in fact a very simple right. Basically, an individual has the right to swiftly and easily move all their data from a single service provider on to another one in a highly standardised, common format. For example, they could move their e-mails or contacts to another provider. Or, their pictures and profile details from one social network to another.

This measure has been introduced to aid individuals in finding services they like without fearing that their data would be lost. It also helps reduce the inconvenience on switching services by having to input all the data again. Many large companies were banking on the users’ reluctance to switch instead of introducing new features in order to keep their users.

Now they will have to try harder, whereas users will be able to try out novel services.

The Economy?

In theory, startups should be the happiest group to see this right. They will now have an easier time of attracting new users, since the inconvenience of changing services goes out of the window. In turn, this should foster innovativeness and competitiveness between companies in the entire EU.

This will provide customers with a greater range of choices and ensure the EU does not fall behind in innovation and technology compared to the rest of the world.

The Nitty-Gritty

The principle of data portability goes as follows: As soon as the individual makes a request, the company has 30 day to compile the data and either provide it to the individual or directly transfer it to another service. The data should be in a common format so that it can be easily shared and used with minimal alterations.

Companies can charge a proportional, small fee for excessive requests or very large requests that require plenty of administrative workload. Most often, these requests will be made offline, but the GDPR allows for written requests as well.

The entire process should be performed with regard to safety of personal data of individuals whose data is being transferred. To that end, the company should make sure the person initiating the request is indeed the person whose data will be transferred. They have the right to require login identification, but may also ask for other forms of verification, such as ID scans or similar.


Overall, the data portability principle will balance out the powers that huge companies have over the regular folk. They will be able to choose their online service providers without being forced to stay under the threat of seeing their data deleted. This will spur growth and competition, and all this will benefit the end users. Furthermore, they will now know exactly where their data is and what data the companies actually hold on their servers.


GDPR and Data Protection Methods

Data breaches can be a very expensive affair. Fines from the supervisory authorities can be huge, not to mention the huge fallout from the users and a major drop in confidence.

The GDPR will replace the deprecated Data Protection Directive from 1995 and bring new, streamlined rules. Along with the new rules comes the threat of substantial fines, so data protection should be the top priority of all companies that process personal data.

The fines are large – up to 20 million Euros or 4% of the company’s annual global turnover, so it pays to prevent data breaches rather than contain them.

Essential Measures

Personal data, and particularly sensitive personal data, must be secured well. The more sensitive the data, the better the security measures need to be. Less important data does not need to be as secured (but there must be a high basic level of general security).

This risk-based approach aims to reconcile the costs of data security with potential risks. That’s why you should be aware of severity of the data you have by regularly conducting DPIAs. You can save plenty on low-risk data by not guarding it so secretly, but if you are unsure, it is best to treat all data as important.

Behavioural Security

Along with very useful technical measures, the human factor is simply too important to ignore. Employees are a huge data breach risk, and so measures must be taken to reduce the risk. Access controls are one of the ways to reduce the risk. Confidentiality agreements and physical access restrictions are another.

Ensure data isn’t taken away on portable devices. Make regular backups of data and store them well. Encrypt sensitive data, and make sure to keep the backups completely offline. Third party services should not be used for backup services, as it simply creates another weak link where the data might leak out, mostly due to human error (consider how often data gets stolen from the cloud).

Two-factor authentication is a great way of forcing all the responsible individuals to keep up with their security routines, while preventing, at the same time, malicious individuals from gaining easy access to the company network.

Technical Security

Low-risk data generally doesn’t need measures such as anonymization or encryption, but sensitive data does. High-risk data should at all times be encrypted and whenever possible stripped of its identifying parameters in a process called pseudonymisation. Such data is considered low-risk, since the identity of the individual person cannot be found out as easily. Encryption, of course, is still highly recommended and remains the gold standard of data safety.

Updates and regular maintenance of security applications should not be overlooked. Make sure the company uses cryptographic protocols at all times, like SSL and TLS. Ensure the data is securely destroyed. This includes deletion in multiple passes, but can also refer to physical deletion of media in some more extreme cases. Papers could also need expert disposal instead of simple shredding.


Essential Rules for Records in the GDPR

It’s easy to feel overwhelmed with the obligation to keep records under the GDPR. It is a non-trivial requirement that will force most companies to reconsider their processing operations. This is likely the goal of the GDPR, in that only the necessary processing operations should be carried out-

However, not all is that bad. Records can give you more insight into how you process data, giving you an overview that you could have a hard time getting otherwise. Plus, the regulators will look kindly upon you.

Mandatory for All

Record-keeping is now a requirement both for data controllers and data processors. Even third-party companies will have to store processing records for data they don’t own, but process anyways.

The goal is to have the records ready for when the regulators require them. They must be quickly presented to the regulatory authorities, and they are considered prime evidence of compliance with the GDPR.

SMEs Have It Easier

Small to medium enterprises, i.e. businesses employing less than 250 individuals, are ‘given some slack’ when it comes to record-keeping. The administrative burden is comparatively larger for smaller than large companies, so SMEs now do not have to keep records, as long they satisfy certain conditions.

Their processing must not occur on a regular basis (only occasionally), and processing cannot be the core business operation. If sensitive (protected) data is being processed, record-keeping is mandatory. This includes employee data as well.

Purpose Matters

Several processing activities can be bundled into a single record, as long as the processing is conducted for one, individual purpose.

A single record can thus apply to several operations, which can help you reduce the number of records you own. However, sometimes this can increase their complexity so you might not gain much. Separate records are thus also allowed.

Bare Essentials

Processing records have a list of required data that must be included within them. There are no set rules for how they should look (or in what file format they should be made and kept), so companies are allowed to choose whatever they like.

However, the bare minimum of content is non-negotiable. Each record must include a detailed explanation of the purpose of processing and the contact details of the processor. Categories of personal data and sensitive personal data used for processing must be listed, as well as any ongoing transfers of data outside the EU. Specify the period after which the data will be deleted and briefly explain what security measures you took in order to secure the data.

DPOs Can Help

A data protection officer can help things to smoothly, especially in smaller organisations that lack qualified personnel. Small companies can even outsource their DPO to reduce costs but still take advantage of their know-how. This can help them avoid expensive fines and responsibility at a minimal, nominal cost. Plus, a DPO can provide valuable education for the rest of the staff, which should reduce the risk of data loss and breaches.

Derogations in the GDPR

The GDPR aims to harmonise and streamline the privacy law in the entire EU. However, just like its predecessor, the Data Protection Directive, the GDPR still does allow for individual member states to intervene and introduce certain changes. Let’s find out what these changes are.

Few Options

There are few situations in which the Member States are allowed to make their choices. Most are regulated in Article 23. The states are permitted to make exceptions for certain GDPR stipulations, but never in a way that would go against the human freedoms and personal rights.

The exemptions from the GDPR all allowed when national security and public safety are at stake. It is also used in criminal investigations, regulatory investigations, judicial cases and in public interest.

Additionally, the member states are allowed to set tighter limits on data processing than those set out in the GDPR, except when it comes to children’s rights: the default threshold is 16 and can be reduced to 13. In all other cases, the states may only tighten the rules, such as provisions on data safeguards, purposes for processing, storage period, notification rights etc.

Specific Situations

Specific processing situations are also covered in Chapter IX of the GDPR.

Thus, Article 85 considers the freedom of information and the GDPR. Member states are given a bit of leeway to balance the rights of individuals with the right to freedom of the press. This rule is expected to be invoked only occasionally, since the European Commission must be informed if such derogations do occur.

Subsequent two articles, 86 and 87, give the rights to the public authorities to give out personal information if it is in public interest. Member states are also allowed to restrict processing of personal data like ID card numbers.

Article 88 deals with processing with regards to employment. Employees are a particularly vulnerable group of individuals since (potential) employers have so much power over them. Taking this into account, it is important to ensure the processing requirements for data on employees remain strong.

Other articles deal with the use of data for scientific purposes. Most often, scientists can use personal data in their research if they take reasonable measures to ensure the data is safe. Countries are allowed to make such processing legal if they fear scientific progress is in jeopardy.

Particular derogations can be made for secret data. The rationale is to balance out the right to secrecy and protection of personal data. Special conditions for churches and other religious organisations are also outlined.


These processing situations and derogations by far and large take away from the original goal of the GDPR to ensure the privacy laws remain equal in the entire EU. However, matters are not as bleak since there aren’t many of these derogations. It also isn’t hard to document the potential differences between the member states, so that companies do not have to sift through various laws and legal documents. We hope supervisory authorities will step up and help solve these issues.

GDPR Applicability for Multinational Corporations

The good news about the upcoming General Data Protection Regulation (GDPR) is that it will apply both to small and large companies equally. This will ensure a fair competition and a strong set of privacy rules.

The entire privacy landscape will be revamped and made equal. Since the GDPR applies to EU data and is not based on the company domicile, this means there are no ways for large companies to avoid their GDPR obligations by moving to a non-EU country.

In other words, there are no loopholes that large companies can exploit and gain advantage over the smaller ones without a legal department to back them up. The principle is very simple – either you behave or you can stop doing business with the EU.

However, we are still far away from seeing compliance. Less than 50% of companies have begun preparing for the inevitable, and there is less and less time, as the GDPR enters into force on 25 May 2018.

Who Is Applicable

First, the companies should determine whether they are bound by the GDPR. In most cases, larger companies will be bound since most do business with the EU.

The company doesn’t need to be located in the EU in order for the GDPR to apply. It if has clients form the EU, or does business with EU companies, then data originating from these companies is protected by the GDPR.

Most large companies have their representatives in the EU, which means their offices must be GDPR-compliant without further ado.

However, GDPR could apply even if the company is marketing towards EU customers. This is determined by reviewing the marketing language, currency and the perceived target market. The only way for the GDPR not to apply is to block EU customers from visiting their website, or make it clear any EU visitors or shoppers have not been intentionally marketed towards.

In some cases, with limited EU-sourced data, the company may be exempt from the GDPR, but these cases are few and far in-between. Note that, barring unusual circumstances, the usual cross-border data transfer rules apply.

Obligatory Record-Keeping

Companies with more than 250 employees must be careful to keep records meticulously. Companies can later use these records as proof of compliance with the GDPR provisions.

If companies introduce any changes regarding how they handle data, all their subsidiaries must be informed and records must be properly updated. This is an example of the GDPR compliance process being a continuous exercise, not a one-time action-


Companies must remember to appoint an official EU representative if they plan on doing business with the EU.  The representative should be involved in the current privacy affairs. They will serve as contact points between the company and EU customers and institutions.

The representative should act according to the company directions, but is allowed to provide advice to the company’s headquarters. There are no set rules as to in which EU country the companies are obligated to appoint the representative, so they can choose whichever they see fit.