iron gate with lock

A few weeks ago, a client (who is far more technologically sophisticated than I am) was talking about GDPR and its impact on their business. Inspired by that conversation, I decided to create a quick overview of GDPR for those of you who, like me, are easily confused by lengthy acronyms. In the interest of full disclosure, I am a strategist and writer, not an attorney with international expertise in data privacy.

What the heck is GDPR, anyway?

GDPR is an acronym for General Data Protection Regulation, which is the EU’s not-so new set of rules that governs the use of personal data. GDPR specifies how personal data should be used, and how it should be protected.

What rules does GDPR lay down?

A lot, frankly. But to keep things simple, GDPR covers seven key aspects of privacy:


Privacy language needs to be simple and clear. Consumer consent needs to be as easy to withdraw as it is to give, and since giving content usually means “clicking a box”, you should make it equally simple for your visitors to revoke consent.

Breach Notification

If your data is breached, and customer data is compromised, data processors have to notify their controllers and customers in 72 hours or less. So you’ll need to hustle.

Right to Access

If you customers ask, you need to tell them you’re processing their data. And you need to give them an electronic copy of the data for free.

Right to be Forgotten

When the data is no longer relevant to its original purpose, data subjects (your customers) can ask you to delete it — and stop sharing it.

Data Portability

This means customers can ask for a copy of the data you’ve gathered, and use it themselves.

Privacy by Design

This is the part that we’re most concerned with. Simply speaking, you need to “bake in” data protection and privacy throughout the design of your digital process. If you do something sloppy (like send personal information unencrypted) you’re in trouble.

Data Protection Officers

Large organizations with 250 employees or more need to have someone appointed to oversee the security of customers’ personal data.

I’m not in the EU. Am I affected by GDPR?

Maybe, and maybe not. The GDPR covers the data of citizens of the European Union, even of the company managing the data operates elsewhere. So if you have customers in the EU, you need to comply.

When does GDPR go into effect?

May 25, 2018.

Why should I care?

You should care because your customers expect you to be responsible with their personal data and customer trust is essential to the ongoing success of your organization, company, or brand. You should also care because the rule contains financial penalties of up to 20 million euros.

How do I comply with the GDPR?

It’s gonna take some work (and probably another blog post or two). But this video is a great place to start. If you’re using HubSpot’s marketing software, check out their GDPR updates page and HubSpot’s GDPR checklist.

And if you don’t have users in the EU, it’s still a good idea to implement some of these recommendations. The trust of your audience is critical to your success and if you show your users you’re taking great pains to respect their data and their privacy, you’re far more likely to earn and keep that trust.

Do you have specific questions or concerns about GDPR or other security issues? Let’s talk.