Collect or process personal data of EU citizens? GDPR applies to you

The EU General Data Protection Regulation is one of the biggest changes to data protection laws in Europe and businesses need to be prepared. Find out what it means for you and how to stay compliant.

What is GDPR?

The new EU General Data Protection Regulation (GDPR) comes into effect in all member states, May 25, 2018. The regulation is designed with the goal of improving data protection for individuals within the European Union and to provide businesses with a clearer legal structure by which to operate by standardising regulations across the EU.

What the regulations mean for you?

The GDPR applies to ALL organisations that collect and process personal data of individuals residing within the EU, regardless of the company’s physical location. This means that if you have customers from the EU, but your business is not located within the EU itself, you’ll still need to adhere to the new regulations.

The GDPR further defines organisations as either “controllers” or “processors”.


In general terms, the controller is the entity that determines the purposes for which (i.e., why) and the means by which (i.e., how) personal data are processed.


In general terms, a processor is any entity or individual (other than an employee of a controller) that processes personal data on the controller’s behalf.

when GDPR applies scheme

To stay compliant, your business will need to account for the following;

Increased Territorial Scope

Perhaps the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR. Regulations will apply to any company collecting and/or processing personal data of an EU citizen regardless of where the company’s physical offices are located.


Organisations will be required to obtain an individual’s consent to store and use their data. The request for consent must be given in an intelligible and easily accessible form and explained how it will be used.

Breach Notification

Under the GDPR, breach notification will become mandatory within 72 hours of discovering a security breach where the breach is likely to “result in a risk to the rights and freedom of individuals.”

Right to Access

Organizations must be able to provide electronic copies of private records to individuals requesting what personal data the organization is processing, where their data is stored and for what purpose. Furthermore, a copy of the personal data shall be provided free of charge, in an electronic format.

Right to be Forgotten

EU citizens will be able to request that organizations not only delete their personal data but also that they stop sharing it with third parties, who are then also obligated to stop processing it.

Data Portability

This regulation gives individuals the right to transmit their data from one controller to another. Organizations must be able to provide an individual’s personal data in a ‘commonly used and machine-readable format’.

Privacy by Design

Privacy by design is now a legal requirement in GDPR. At its core, this means that data protection and security must be designed into systems, products and processes from the onset.

Data Protection Officers

Both data controllers and data processors will now require the appointment of a DPO. They may be a staff member or an external provider but must be appointed on the basis of professional qualities and, in particular, have expert knowledge on data protection law and practices.

It is important to note that not all companies are obliged to have a DPO. Only those “whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.”


Under GDPR, organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements. E.g. Not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

There is a tiered approach to fines. E.g. A company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors and this means that clouds will not be exempt from GDPR enforcement.

 If you’d like to go further into the details you can read the legal spiel.

Your GDPR Checklist

The following checklist for processors can serve as a starting point for what you and your marketing platform should be able to account for to adhere to GDPR.

  • Ensure that you appoint a Data Protection Officer
  • Ensure that you appoint a local representative (if your company is not established in the EU)
  • Implement appropriate organizational and technical measures that will allow you to account for security risks and to assist the controller in responding to requests of individuals
  • Keep personal data confidential & require staff to adhere to confidentiality obligations
  • Ensure that you keep meticulous written records and make records available to controller and regulators as and when required
  • Notify the controller of a data breach incident as soon as possible and provide them support
  • Only process personal data to the extent that is authorized by the controller
  • Obtain the controller’s written permission before you engage sub-processors
  • When entering contracts with sub-processors provide the same level of protection as the principal contract with the controller
  • Notify the controller if the controller’s instructions infringe upon EU data protection laws
  • Assist the controller in Data Protection Impact Assessment
  • Delete or return to the controller (at the controller’s choice) all personal data when no longer providing services
  • Ensure that you have GDPR-approved safeguards in place before you transfer personal data across borders (or confirm that the “receiving” country is on the EU Commission’s list of approved countries)
  • Assist the controller in responding to an individual’s exercise of their privacy rights
  • Ensure that you cooperate with the requests of EU member state regulators
  • Train your staff on GDPR and create company policies on compliance & non-compliance
  • Update your company policies (e.g., online privacy policy & written information security policy)

There’s more things that will change in 2018, read about them in our 2018 Email Marketing Trendbook.

Stay compliant

ExpertSender’s flexible, yet robust platform built on a relational data model means that we are perfectly equipped to ensure you stay compliant with GDPR. Our platform allows you to have full control over your customer data and you can easily execute end-user requests to be forgotten. It also ensures privacy by design, data access and portability that’s mandated by GDPR.

Is your business compliant ready for when the new regulations come into effect?

Written by
Marcin Chruszcz
Account Manager at ExpertSender
Email and marketing geek. Specializes in email deliverability, strategy and design. Basketball and MTB riding enthusiast.
See it in action
Find out how you can boost your revenue with ExpertSender’s Multichannel Marketing Automation.
Ask an expert
Demo ExpertSender