What's GDPR? How does it affect companies? GDPR compliance, made easy

Mariluz Sampalo

Mariluz Sampalo

Jan 3, 2022

personal and sensitive data, gdpr goal

Inside this article

  • iconWhat is GDPR?
  • iconWhen did GDPR come into force?
  • iconWhere does GDPR apply?
  • iconWhat is sensitive data and how does it differ from personal data?
  • iconImplications of GDPR for data owners
  • iconImpact of GDPR on online businesses
  • iconFines, penalties, and violations of the GDPR
  • iconPrivacy by design, data protection by default
  • iconHow does GDPR affect online stores?
  • iconHow does GDPR affect marketing?
  • iconHow does GDPR affect customer support?
  • iconConclusions
  • GDPR is a term that directly affects any company in the EU that has access to the personal data of its customers or potential customers. This regulation aims to safeguard the interests of European citizens and residents (and their data) as well as to achieve one of the main objectives of the European Union: to become a fully integrated territory.

    To this end, it has become essential to promote links that facilitate connections between European companies. This is possible thanks to the GDPR.

    Before Regulation (EU) 2016/679 was enacted, there was no single legislation for all Member States and national or international organizations that dealt with the personal data of citizens and residents of the European Union.

    But before we tell you what GDPR is, how it affects your customers, your company, and your processes, let's clarify what is meant by "personal data".

    According to the European Parliament and the European Council, personal data is any information that can be related to or is related to an identified or identifiable natural person. Therefore, almost any user information is potentially personal data: IP address, email, first and last name, and much more.

    About 99% of people are bored by legislation. However, if you have decided to read this article, it’s probably for reasons of urgent need. We have condensed all information about GDPR into this article so that you know how to deal with it and apply it to your business in a responsible and beneficial way.

    Please note that we are not legal experts. This should be considered as a summary and explanation of what GDPR is and how it affects you and your customers. For legal questions, refer to an expert or read the official document.

    What is GDPR?

    The GDPR law —or General Data Protection Regulation— aims to protect natural persons with regard to the processing of personal data and the free circulation of these data.

    Its creation and implementation have a very simple reason for being.

    Before GDPR existed, the European Union had enacted Directive 95/46/CE. However, this was not binding in itself. It was the responsibility of each Member State to promulgate a Royal Decree in which this directive was applied to the legislation of each country. It was up to them to choose how to apply this legislation, which meant that different countries had different rules.

    The rapid evolution of new technologies, globalization, and economic and social integration have caused this lack of cohesion between the different legislations within the Union.

    It has also been leaving the owners of said data without rights, and companies confused as to how to proceed and/or with a great advantage over the personal data of European citizens and residents.

    When did GDPR come into force?

    With the definitive implementation of this Regulation in 2018, a single legal framework for data protection was created throughout the EU and beyond. Even companies that operate outside the territory must comply with this Regulation if their consumers are citizens or residents of the Union.

    Where does GDPR apply?

    GDPR is a mandatory regulation for all organizations that deal with personal data that belongs to citizens and residents of the EU. Ultimately, its scope is global and the sanctions imposed by the EU will also have value internationally.

    What is sensitive data and how does it differ from personal data?

    Although it’s true that this document highlights the importance of protecting personal data, there is specific data that requires special attention: sensitive data. The nature of sensitive data and the risk it presents in the violation of fundamental rights and freedoms are the reason why they receive special treatment.

    The data that falls within the denomination of "sensitive data" is the racial or ethnic origin, political tendencies, trade union affiliation, religion or philosophy, data related to an individual’s health, sexual life or orientation, as well as genetic or biometric data.

    Sensitive data is considered personal data. However, putting these at risk entails greater sanctions or fines, so you must be especially careful with them.

    Implications of GDPR for data owners

    The Regulation, of course, poses a series of obligations and rights on those people to whom the personal data refers to.

    They must first choose whether or not to accept the privacy policy and enable or disable the use of full or essential cookies when visiting a website.

    On the other hand, the rights of your customers are the following:

    1. Right of access. Exercising this right, the interested party can request confirmation of whether or not their personal data is being processed, and be aware of several aspects regarding it: the purpose behind the processing; the category of the data; who has access to it; the period of conservation; the criteria used to determine it; and, the possibility of rectifying or deleting the data.
    2. Right of rectification. The subjects can modify their personal data, either due to inaccuracy or lack of completeness.
    3. Right of suppression (also known as the right to be forgotten). This is one of the rights that has generated the most attention. The interested party can request the deletion of their personal data when: it is not considered necessary for the purposes for which it was granted; they have been treated illegally; they accept an obligation established by the Law of the Union or one of its Member States; among other cases. You can check these in the complete official document.
    4. Right to limitation of treatment. This right can be exercised under certain conditions that can be checked in the document.
    5. Right to data portability. The interested party obtains the right to receive their personal data in a structured format, of common use and mechanical reading, and the right to transmit them to another person in charge of the treatment, including, to carry out this transfer of data between the former person in charge and the new one, if possible.
    6. Right to oppose. As the name indicates, the user can oppose the processing of the data. This means stopping the treatment of their data unless you justify a legitimate need to do so that prevails over their interests, rights and freedoms, or for the formulation, exercise or defense of claims.
    7. Right not to be the subject of a decision based solely on automated processing.

    Now let's see how these rights and obligations affect online businesses.

    gdpr scope

    Impact of GDPR on online businesses

    As a digital company, you are, according to the GDPR, responsible for the treatment —or in charge of the treatment— of your customers’ personal data. That means, your duty is to apply "appropriate technical and organizational measures" (pseudonymization, encryption, minimization of data obtained, etc.) that guarantee and demonstrate that you treat their personal data in accordance with the GDPR. These measures must be reviewed and updated, if necessary.

    One of the most relevant measures for any online business is the creation and publication of a data protection policy or privacy policy. In short, you have to let them know what data you are going to collect, for what purposes, who is going to have access to it and for how long, etc.

    Additionally, you are obliged to notify them of the change or deletion of their personal data or the limitation of the treatment.

    Whether you are a data controller, a data processor, or both, you must ensure that you comply with everything stipulated in Regulation (EU) 2016/679, or that the parties in charge of the treatment, if not you, comply with it.

    According to this provision, you can only share the personal data with their express authorization or by collecting their lawful use in the privacy policies.

    If you need express consent, one of the most popular ways to achieve it is through cookies. It’s especially important that both your data protection policy and your cookie policy meet the requirements set forth by the GDPR.

    Your data protection policy and your cookie policy should be as concise, transparent, and intelligible as possible. This applies to the words you choose, as well as the format, by giving preference to tables, icons, and figures.

    Keep in mind that the pre-selection of accepting all cookies goes against what is stipulated in the Regulation, since it declares the need to make consent active, positive, granular (with the ability to choose certain options and discard others), etc.

    "Opt-in" forms that authorize the processing of personal data must be available; likewise for "opt-out" forms to limit, delete, rectify or oppose the processing of data.

    Facilitating this process and solving possible obstacles for your customers becomes fundamental. The last thing you want is to transform data protection and GDPR compliance into a management and advertising crisis for your business.

    If you already have implemented these systems, let your users know. Not all online businesses take all the necessary measures to protect their customers, even if it is their duty.

    As previously mentioned, another of your obligations as the responsible owner of this data is to have a record of your processing activities:

    • Name and contact information of the person in charge, and if there is a joint controller or manager;
    • What the data will be used for; and,
    • Who will have access to the data, for how long, what information is stored, and how this data will be protected, among other data.

    All of this must be included in the record.

    This record must be available in written and digital form; additional formats are also welcomed but not essential. These records may be requested by the control authorities of different Member States when needed.

    However, if your company has less than 250 employees, you don’t need to have this record, unless the processing of your data affects the rights of the interested parties, includes special data, or if it is a regular practice.

    Both the person in charge and the person responsible for the data must implement security systems that regulate the processing of the data. Among other tasks, you need to:

    • Pseudonymize and encrypt the data
    • Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
    • Be able to quickly restore availability and access to personal data
    • Be able to verify and regularly assess the effectiveness of the technical and organizational measures that seek to guarantee the safety of the treatment

    Risks such as the possibility of accidental or unlawful destruction, loss or modification of this data, or unauthorized communication or access to said data need to especially be taken into account since the person responsible for the data needs to take care of their security.

    Additionally, as the data controller, you must report any data security breach to the relevant control authority as soon as possible, preferably within 72 hours. If this deadline is met, you must justify the reason for the delay.

    Along with this communication, a series of information must be given: what data is affected, the number of people affected, what consequences it has, and what measures you have implemented to solve future violations.

    On the other hand, these violations must also be communicated to the data subjects. According to the Regulation, this communication must be in a clear and easily understood language and include at least contact information for further information, the consequences of the violation for him/her, as well as the measures adopted or proposals to solve the violation.

    In order to prevent breaches, the GDPR requires an assessment of the processing of this data to be carried out, when it’s likely and there’s a high risk, as is the case with online businesses.

    Another task of the responsible party of the data is to select a data protection delegate when the company has a large amount of data at potential risk. This delegate bears the professional and legal responsibility for GDPR compliance.

    Last, but not least, you must respect the above-mentioned rights: the right to access, rectification, deletion, limitation, portability, opposition, and automatic use of the data.

    Fines, penalties, and violations of the GDPR

    The EU has taken into account the different sizes of companies that process personal data as controllers, processors, or both. This is why there are two types of penalties and three different types of violations.

    As a penalty for the violation of GDPR, the company will need to pay a percentage of the company's annual turnover or a specific economic penalty.

    Depending on the importance of the infraction, up to 10 million euros  —or 2% of the turnover— can be charged in the case of minor infractions. In the case of very serious infractions, the penalty can go up to 20 million or 4% of the turnover. The highest amount will always be chosen.

    But, how do you know what a minor infraction is, what a serious infraction is, and what a very serious infraction is? Well, this is an aspect that remains in the hands of each Member State.

    Some factors that will be taken into account to measure the seriousness of the violation are whether or not there were measures implemented, if the violation was accidental or if there were interests involved, the nature of the personal data that was put at risk, and the purpose of the action.

    As a recommendation, you should implement all the measures you can to safeguard personal data to avoid fines or sanctions.

    Privacy by design, data protection by default

    GDPR changes the way all companies that work with personal data interact with this information.

    Prior to the entry into force of this Regulation, the norm was to create privacy policies that were difficult to understand and, at times, ambiguous. The occasions in which the user knew exactly what was happening with the data were rare, while the companies —sometimes due to ignorance, sometimes because of personal interests— took advantage of it.

    Since May 25, 2018, the focus has shifted to protecting users. The same legislation for all organizations means that there’s more parity also for companies, not differentiating between those from the EU and those from outside.

    From this moment on, privacy has been taken into account in the design of processes, services, and applications to ensure optimal privacy from the beginning (privacy by design). Data protection should be granted, and it’s now possible to choose, for example, which data users choose to be processed and which not (data protection by default).

    Now that you know the general impact of the GDPR on your business, let’s see how exactly it affects your processes.

    gdpr for online businesses

    How does GDPR affect online stores?

    One of the provisions made by the GDPR is the lawful use of personal data.

    In the case of data that is essential for the proper functioning of the service, you don't need the consent of the users. This affects, for example, processing orders and payments or fulfilment, since, in order to manage the order correctly, it is necessary to have customer data such as an email, address, or name and surname.

    In the case of payments, of course, it will be necessary to enter the bank account information if the payment is made online.

    In many cases, information as basic as the IP address is vital to offer an approximation of shipping costs or to redirect customers to the corresponding online store for their geographical area, if you have different online stores for different countries.

    Third-party companies such as couriers come into play at this point in the sales process. As the ultimate controller of the data, you must ensure that these companies comply with GDPR because in the event of a violation of the Regulation, your online store must face the consequences.

    Requesting unjustified data is a violation of GDPR and your business can face a sanction. Some examples of unjustified data could be the date of birth, gender, or any information that isn’t essential for the tasks related to the order, the payment, or the delivery of the shipment or its return.

    If you have an online store, you probably use a platform for your online store. These types of platforms are likely to store personal data about your customers, visitors, and other users, so you should check that they comply with the GDPR, too.

    It should be noted that, although GDPR allows the collection and processing of this data, as an online store you must implement measures to ensure that they are kept safe. Whether you do it yourself or you count on a third party, the treatment, encryption, pseudonymization, and other measures are mandatory to avoid possible sanctions in the future.

    Although GDPR supports the collection and processing of this data without the express consent of the customers, it’s important that you inform them of the need for it for the fulfilment of your obligations as an online store.

    How does GDPR affect marketing?

    Marketing is one of the areas that is most affected by GDPR. This is especially remarkable because of the abuse of privileges that existed before the imposition of this Regulation. For example, sending mass emails, SMS, or extremely customized ads for promotional purposes.

    This doesn’t apply to order tracking notification emails since they are considered essential emails for the satisfaction of customers. Therefore, if you have an online store, we recommend using customized follow-up emails that convey your brand image, without putting any data at risk, is a 100% GDPR-approved marketing tool.

    This is possible with Outvio. This software allows automating the task of sending order tracking emails to customers, as well as creating customizable tracking and return portals with your branding.

    With the new Regulation, users can choose whether their personal data is processed, or how, if the purposes are related to marketing.

    If they decide to enable their treatment, you must inform them of the reason you contact them, offer the possibility of ceasing communications, deleting or modifying their data, or making a request for a copy of the data among other rights (for them) and obligations (for you).

    This undoubtedly puts an end to sending mass and depersonalized emails. Although the costs of your marketing strategy will go up, the results of personalization and the peace of mind that your customers will have can have a positive impact on your business.

    On the other hand, you must take into account how GDPR affects third-party services: analytical tools, email marketing tools, etc.

    If GDPR has had a negative impact on your marketing strategies, you may benefit from reading this article in which we share strategies to make viral content.

    How does GDPR affect customer support?

    There’s a lot of data that is essential for the proper functioning of the customer service department.

    Perhaps you have online tools for storing customer data. If these tools belong to third parties, you should check if they comply with GDPR, too.

    Additionally, we recommend giving a basic course on what GDPR is and how it can impact the way your employees perform in their jobs. As stated in the GDPR, human errors are also punishable, so making employees aware of the law can prevent your business from being penalized in the future.

    Apart from these aspects, you must take precautions to safeguard the personal data that is physically stored, processed, or shared. Remember that the GDPR was born with the intention of protecting personal data in a holistic way, not only on the internet.


    To sum up, GDPR has put an end to the regulatory environment that gave businesses the opportunity to take advantage of the lack of clear legislation regarding the protection of personal data.

    With the entry and enforcement of GDPR, the EU has created single legislation for all its citizens and residents. This affects all those organizations that have access to this data.

    As an online business, you are responsible for the processing of the personal data of your customers, visitors, and any other person from whom you collect personal data.

    Complying with GDPR is an obligation, but the correct implementation of measures that make the processing of personal data more secure is one more opportunity to increase the importance that your customers or potential customers place on you.

    Sharing with the interested party how you use, store, and collect data, and with whom, how, and for what purposes, are some of the tasks that must be part of the daily operations of your organization if you want to avoid facing sanctions in the future.

    We hope that this guide has clarified what the GDPR is, how it affects your online business, and what measures you must implement to ensure the correct treatment of the personal data that you store, manage, share, modify, etc.

    Remember that GDPR must be taken into account in all activities that affect or are related to the processing of personal data.

    In addition to performing an analysis to ensure how you comply with it now, you should consider how it affects your future tasks once you add a new process or modify anything that affects personal data. The review, deletion, modification, or limitation of personal data must become a task that you carry out on a regular basis.