red arrow pointing right
Back to insights

The Fundamentals of Data Protection for Businesses

May 2021
May 2021

The General Data Protection Regulation is an important piece of European legislation that affects businesses worldwide. It’s one of the reasons why so many organisations are getting data security services. It is of the utmost importance to be aware of it, its key obligations, and the consequences of non-compliance. Let’s start with defining the GDPR.

General Data Protection Regulation

The GDPR is a regulation, meaning that it is an order to be executed. When it was enacted, it became national legislation in each EU member state instantly. EU member states can make exemptions from the GDPR (for example, if complying with the GDPR would breach national security). Furthermore, each EU member state is required to pass national legislation to accompany the GDPR. This is because of two things. First, the GDPR needs to fit in with local laws. Second, if you want to choose from the exemptions permitted by the GDPR, you need to have national legislation.

Because of the national legislation passed alongside the GDPR, you will need to know the GDPR and the local laws of whatever EU member state you’re based in.

Key Obligations of the GDPR

There are certain things you must do in order to comply with the GDPR. We have listed some below, but this is not a comprehensive list and it is always best to get professional advice.

  • Keep an inventory of the data you are processing. That way, you know exactly what personal data you are processing along with what you do to it.
  • For each type of personal data, and for each purpose for which you’re processing it, figure out the lawful reason you’re processing them.
  • Make sure that you have a data security strategy and that it is strong. Make sure that your technical and organisational methods to secure data are proportional to the amount of risk there is of a data breach or other security incident.
  • Ensure there is something to keep personal data that is transferred outside of the European Economic Area safe.
  • Update your Privacy Notice. Make sure it is transparent about the how and why you are processing data.
  • Change your Cookie Policy to make sure that you don’t just rely on implied consent. Rather, make sure that people using your website are actively consenting to non-essential cookies being used, and only fire those cookies after you’ve received said consent.
  • Make sure your staff is trained in the areas of GDPR that apply to you.
  • Review your employee data privacy policy and revise it if needed.
  • If needed, hire a Data Protection Officer (or you can use an external provider to act as your Data Protection Officer). If you are not legally required to have a dedicated DPO, ensure someone within your organisation is responsible.
  • Your data processors and sub-processors should be compliant with the GDPR and have adequate security to protect personal data. Your contracts with them should also be compliant with the GDPR.

Consequences of Non-Compliance

There are many consequences of non-compliance; here are a few of them.

  • Fines and Sanctions
  • Civil Claims
  • Data Subject Complaints
  • Brand Damage
  • Loss of Trust


If you’re having a hard time understanding all of this, don’t worry. You can always work with a data privacy consultancy to check if you fulfil all the obligations of the GDPR. There are benefits to being an industry leader and ensuring that you value data privacy. The most important benefit is that you gain a lot of consumers’ trust. So, it is well worth the investment.

In need of data privacy consulting services? Get in touch with our team and discuss your individual needs.