At a time when data exploitation is the focal point of concern for companies, it is important to understand exactly what GDPR, or General Data Protection Regulation, actually is.

The General Data Protection Regulation is the logical consequence of the various texts regulating the protection of consumer data in the European Union.

It has been applicable since May 25, 2018 in all Member States of the European Union.

Since coming into force, this has replaced all previously existing national regulations.

In France, for example, the 1995 Data Protection Directive no longer applies, nor does the Organic Law 15/1999 in Spain.

For further information

See all definitions

What is the purpose of the GDPR?

  • To restore control over personal data to European citizens
  • To simplify the regulatory environment within the EU for international businesses.
  • To facilitate the free circulation of personal data within the EU.


For businesses, the path to compliance presents major challenges.

They have to adapt their tools and processes, which inevitably implies significant investments.

GDPR compliance: do your research

To be compliant to this regulation, you can get in touch with your national data protection authority for help. For example, in France, the CNIL plays a major role in clarifying and interpreting the text.

Thereafter, you could also consider appointing (or recruiting) a Data Protection Officer (DPO). This DPO will be responsible for raising awareness and training teams for a smooth journey to compliance.

What are the steps to compliance?

Considering that 74% of consumers are loyal to brands which protect their personal data (Accenture Strategy study, 2016) and that the GDPR has been mandatory since 2018, it’s about time you got started! However, it was estimated that one year before GDPR came into force, 45% of companies were still unaware of this new regulation and its implications.

Since it came into force, this figure has been decreasing steadily, but very slowly. Companies need to take the necessary steps to be ready, and this means getting to grips with GDPR.

Ask yourself the right questions

To begin, here are some of the questions you need to ask yourself:

Where do you store your data?

Why do you have this data?

Do you have consent from your consumers to use this data?

Who can access this data?

Who processes the data?

How long do you store them?

How do you recover them?

Adapt your processes and tools

The next step, is to adapt your processes and tools: delete all unnecessary data in your CRM (e.g., Ms. Smith has not been a customer for several years, so why continue to store information on her monthly income?).

Build an impact assessment (e.g., in the event of a security breach, what are the major and minor risks?)

Adapt your contracts to include co-responsibility for data processing. Identify any potential security breaches.

Write up codes of conduct (e.g., traceability of requests from individuals related to their rights to be informed and to have access to data relating to them, etc.).

Add the new legal notices on your communication materials, etc.

Next steps: the 13 keys to understanding the GDPR

  • Expanded definition of what constitutes personal data.
  • Establishment of records of processing activities to explain the purpose of data processing.
  • Reciprocal commitment of responsibility for all parties processing data.
  • Implementation of “privacy by design”: the amount of personal data collected should be restricted to a minimum.
  • Need for an impact assessment before collecting data in order to identify potential risks related to their processing (e.g. if there was a security breach)
  • Determination of how potential security breaches should be addressed: definition; sanction; communication
  • Creation of a new role, the Data Protection Officer (DPO): mandatory in any company with more than 250 employees or one which processes a large amount of data.
  • Principle of joint controllership: joint and equal responsibility
  • Reinforcement of the notion of prior consent: it is explicit and for a fixed term
  • Extension of individual rights: from four rights to six
  • New territorial scope: every European consumer is protected, regardless of the place from which they are connected (even if they are outside the EU)
  • Supervision of transfers of personal data outside the EU: only with the consent of the person
  • Increased sanctions: up to €20 million or 4% of annual global turnover


Many thanks to Fabienne Granovsky, Information technology and civil liberties specialist for www.fgconseil.fr, for her expertise and significant contribution to this article!

More articles