GDPR takes effect in six months: what companies with EU exposure need to do
The European data protection regulation goes live in May 2018. Companies with European customers or offices are required to comply, regardless of where they are based.
On 25 May 2018, the General Data Protection Regulation - GDPR - takes effect in the European Union. Less than six months remain, and most companies affected by it have not yet started preparing.
I am not writing to create panic. I am writing to clarify who this affects, what actually needs to be done, and what does not.
Who this affects - honestly
GDPR applies to any organisation that processes personal data of EU citizens, regardless of where the organisation itself is located. This means:
- online shops selling to European buyers;
- SaaS services with European users;
- companies with offices or employees in EU countries;
- companies that process data of European partners or clients under B2B agreements.
If you have no European users, customers or employees at all, GDPR does not apply to you. If you have even one, you need to understand what it means.
An important point: GDPR applies to data of EU citizens, not to data processed on EU territory. A German citizen using your service from a Russian IP address - their data falls under GDPR.
What GDPR actually requires
This is not just "signing paperwork". The key requirements:
Lawful basis for processing. Every operation involving personal data must have one of several lawful bases - consent, contract, legitimate interest and others. Consent must be explicit, informed and easily revocable.
Data subject rights. Users have the right to know what data is held about them, to request corrections, to request deletion ("right to be forgotten"), and to request their data in a machine-readable format.
Breach notification. In the event of a data breach, the organisation must notify the regulator within 72 hours. In some cases it must also notify the data subjects directly.
Data protection by design. When building new systems, data protection requirements must be considered from the outset, not added afterwards.
DPO (Data Protection Officer) requirement for certain organisations. Not mandatory for everyone, but required for organisations processing large volumes of data or working with sensitive data categories.
What does not need to be done
There is no need to immediately hire a law firm and launch a major project. Most companies that formally fall under GDPR work with a small number of European users in the context of standard products. For them, the task is solved through updating the privacy policy, setting up consent forms and basic technical measures.
GDPR fines can be significant (up to 4% of annual turnover or 20 million euros), but regulators focus first on large players and organisations that ignore the requirements systematically. A company making genuine compliance efforts is in a fundamentally different position from one that does nothing.
Where to start right now
- Establish whether you have European users, customers or employees, and in what volume.
- Do an inventory: what personal data of EU citizens do you process, where is it stored, how is it used.
- Check whether there is a lawful basis for each operation involving that data.
- Update the privacy policy and consent mechanism.
- Verify that users have the technical means to exercise their rights - request data, modify it, delete it.
Six months is enough to get the basics in order. It is not enough to rebuild your entire architecture. The right starting point is understanding the scope of the task.