The GDPR has redefined data privacy expectations globally, setting a high bar for compliance and enforcement.
The General Data Protection Regulation (GDPR), implemented by the European Union in 2018, has had profound effects beyond the EU’s borders. This webinar from Security Compass explores the regulation’s origins, its key elements, how organizations can achieve compliance, and the broader global privacy landscape influenced by the GDPR.
What Are the Goals and Scope of the GDPR?
The GDPR aims to empower individuals with control over their personal data and standardize data protection across the EU.
-
Provides individuals with transparency and control over their data
-
Unifies privacy regulations across EU member states
-
Applies globally to businesses offering goods/services to or monitoring EU residents
-
Non-compliance penalties can reach €20 million or 4% of annual global turnover
Key Elements of the GDPR
Core principles of the GDPR include consent, transparency, data subject rights, and privacy by design.
Consent
Valid consent under GDPR must be clear, specific, informed, and freely given.
-
No pre-checked boxes or bundled consent
-
Applies to cookies, tracking pixels, and marketing communications
-
Must allow easy withdrawal of consent
Transparency
Businesses must clearly disclose how personal data is collected, used, and shared.
-
Privacy notices must be simple, timely, and accessible
-
Must inform users about their data rights
-
Requires notification when data is collected indirectly
Data Subject Rights
The GDPR grants individuals eight fundamental rights related to their personal data.
| Right | Description |
|---|---|
| Right to be informed | Clear notice about data processing |
| Right of access | Obtain personal data held by a business |
| Right to rectification | Correct inaccurate or incomplete data |
| Right to erasure | Also called “right to be forgotten” |
| Right to restrict processing | Temporarily limit processing under specific circumstances |
| Right to data portability | Receive and transfer data between services |
| Right to object | Object to processing for marketing or based on legitimate interests |
| Rights related to profiling | Avoid decisions made solely by automated processing |
Privacy by Design
GDPR requires data protection to be embedded in system and process design from the outset.
-
Mandates technical and organizational safeguards
-
Includes encryption, pseudonymization, and access controls
-
Limits data transfers outside the EU unless safeguards are in place
Steps Toward GDPR Compliance
Effective compliance begins with governance, data mapping, and building privacy into every stage of the lifecycle.
-
Update privacy policies: Align internal and external policies with GDPR standards
-
Map personal data: Understand where personal data resides and how it’s processed
-
Obtain appropriate consent: Especially important for sensitive or new processing activities
-
Enable user rights: Implement mechanisms for access, deletion, and portability
-
Assign a Data Protection Officer (DPO): Required for many larger organizations
-
Implement Privacy by Design: Integrate controls from the start of development
Is GDPR Enforcement Effective?
Despite varying enforcement by EU member states, the GDPR is driving better privacy practices globally.
-
Fines up to €20 million or 4% of turnover are enforced by Data Protection Authorities (DPAs)
-
DPAs have investigatory powers and can issue sanctions, audits, and corrective actions
-
Over 160,000 breach reports have been filed since 2018
-
Enforcement impacts small and mid-sized businesses more severely than tech giants
Example Fines
| Organization | Reason for Fine | Fine Amount |
|---|---|---|
| Google (France) | Lack of transparency in privacy terms | €50 million |
| British Airways | Breach affecting 500,000 customers | £183 million (proposed) |
Global Privacy Trends Inspired by the GDPR
The GDPR has influenced privacy regulations globally, including in California and within the EU itself.
California Consumer Privacy Act (CCPA)
The CCPA mirrors several GDPR concepts but has key differences.
| Feature | GDPR | CCPA |
|---|---|---|
| Consent Required | Yes (opt-in) | No (opt-out, except for children’s data) |
| Data Access & Deletion | Included | Included |
| Rectification Right | Yes | No |
| Right to Object/Profiling | Yes | No |
| Penalties | Up to 4% of global revenue | $7,500 per violation |
EU ePrivacy Regulation
An upcoming regulation expanding GDPR principles to electronic communications.
-
Covers all digital communication: messaging apps, cookies, tracking technologies
-
Requires clear consent for tracking and marketing
-
Delayed due to disagreement on key terms, but expected to be enforced soon
Tools to Help with GDPR Compliance
SD Elements supports GDPR by integrating privacy controls into the development lifecycle.
-
Offers secure development requirements aligned with GDPR
-
Helps implement consent mechanisms, privacy notices, and data protection controls
-
Embeds Privacy by Design into software projects from the start
Final Thoughts
The GDPR has elevated the importance of privacy globally and continues to influence how organizations handle data.
Compliance requires thoughtful strategy, cross-functional coordination, and ongoing adaptation to new guidance. Whether you’re operating within or outside the EU, aligning your privacy practices with the GDPR is increasingly a global necessity.