May 25 is Deadline to Comply with the EU’s General Data Protection Regulation

Estimated Reading Time: 4 minutes

Along with losing weight and exercising more, your 2018 New Year’s resolutions should include this: Get your company compliant with the General Data Protection Regulation by May 25.

Or else?

Or else your company could face €10 million to €20 million in fines – not to mention risk a public relations nightmare.



The European Union Parliament adopted the GDPR in April, 2016 to protect personal data of EU citizens and regulate how such data may be used. This regulation not only applies to organizations — data controllers and data processors — located within the EU. It also applies to those outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. (This means you!) The exception is organizations in the United Kingdom, which is expected to have its own, similar regulation post-Brexit.

Parliament said in a news announcement at the time that the GDPR aims “to give citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era.”

Provisions include things like a user’s “clear and affirmative consent” to the processing of private data, a user’s right to transfer data to another service provider, and to know when their data has been hacked, access to privacy policies that are explained in clear and understandable language, and stronger enforcement and high fines as a deterrent to breaking the rules.



Personal data is any information related to a natural person or data subject that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

A data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A data processor is an entity which processes personal data on behalf of the controller.



Experts agree GDPR awareness is crucial from top to bottom of an affected organization. You need to educate personnel and establish protocols. Do you have an emergency handbook for coping with data breaches? This is the time to consider one. In some circumstances, you may need to appoint a Chief Data Protection Officer.

Other recommended steps are review and documentation of your data security procedures. Have you done a security audit or penetration test lately?

Note, too, the GDPR requires servers which hold or process any personal data are within compliant facilities.

If all this seems overwhelming, don’t worry. Consultants are available to help.  Some experts even point out any expense you may incur adding help for GDPR compliance will likely be far below what you’d pay in penalties for non-compliance.


Cost of Acquisition

Fines are case specific, and reportedly will be given mostly when violations result in any real damage. Violators should be ready to shell out up to €10 million to €20 million, based on different sections of the regulation, like having the correct consent registered of the user, correct authoritative certifications to process sensitive data (like correct PCI-DSS level to process credit card information), and so on; or violating rights and freedoms of data — things like cross-border data transfers, handling and securing personal data, transparency on why/how you handle data.


For more information about this topic or ways to more effectively leverage your data, contact your InfoTrust Consultant today.

Last Updated: March 1, 2018

Other Articles You Will Enjoy

Ohio Personal Privacy Act: What Marketers and Advertisers Need to Know

Ohio Personal Privacy Act: What Marketers and Advertisers Need to Know

Much has been made about 2023 being the year of reckoning for privacy regulations in the United States, with five states having new regulations…

10-minute read
The Latest on the UK Data Reform Bill

The Latest on the UK Data Reform Bill

On June 17, 2022 a press release from the United Kingdom (UK) Government’s Department for Digital, Culture, Media & Sport (DCMS) and The Rt…

7-minute read
Privacy and Data Protection in the Kingdom of Saudi Arabia

Privacy and Data Protection in the Kingdom of Saudi Arabia

In September 2021, the Kingdom of Saudi Arabia (KSA) issued its Personal Data Protection Law (PDPL) to regulate the processing of personal data. The…

6-minute read
Patchwork Privacy: U.S. State Legislation Roundup

Patchwork Privacy: U.S. State Legislation Roundup

Privacy protections in the United States take a big leap forward in 2023 with five states having new privacy laws going into effect. This…

16-minute read
The Latest on the EU – US Data Sharing Agreement

The Latest on the EU – US Data Sharing Agreement

On October 7, the White House announced an “Executive Order: On Enhancing Safeguards For United States (US) Signals Intelligence Activities.” President Biden did this…

8-minute read
3 Major Happenings in the World of Privacy for 2023

3 Major Happenings in the World of Privacy for 2023

First things first: Happy Data Privacy Day 2023! We hope you consent to having some fun this year! As we celebrate Data Privacy Day…

8-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.