Demonstrating Effective Compliance with GDPR

The Wall Street Journal has reported that one year after GDPR was implemented across the European Union (EU), officials are finally about to announce enforcement actions that could result in large fines. Until now the extent of monetary penalties issued has been relatively small. Authorities in Ireland and the United Kingdom, however, say this time was used to build the necessary cases against companies that contravene the new data protection rules.


The nature of personal data has changed dramatically in the last two decades. Our daily lives are increasingly being driven by the use of digital data. As the online world expands, and increasingly runs in tandem with the tangible world, the amount of digital information each person produces has grown exponentially. Every internet search, tweet, online purchase, or internet cookie has the potential to be linked back to a person, and therefore represents a possible threat to privacy.

The size of the problem is demonstrated by the rise in the amount of data being created and held in databases.

It was estimated the total amount of data held in the world was about three exabytes in 1986. By 2011 that was estimated to exceed 300 exabytes and since then it has continued to grow enormously. Today, it is estimated the US alone has over two zettabytes of data.

Privacy has therefore become a major concern for governments and individuals. Businesses have an obligation to protect their customers, but the scale and variety of data they may hold can make this difficult.

General Data Protection Regulation

Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), was implemented in EU and European Economic Area (EEA) countries on May 25, 2018. GDPR replaced the Data Protection Directive 95/46/EC.

GDPR asserts the right of the individual to control their personal data. It applies to all commercial operations processing personal data linked to European citizens. This means, organizations not based in EU/EEA countries can also be covered by GDPR, if the data they are using originates from a citizen in an EU/EEA country.

The EU has adopted a broad definition of personal data – “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

In simple terms, businesses need to protect an individual’s IP address or cookie data with the same vigor they extend to shielding a customer’s name, address or social security number.

GDPR has given individuals eight data rights, which organizations must comply with:

  1. Right to be informed – organizations must clearly inform individuals when they collect data and the purpose of the collection
  2. Right to access – organizations must give individuals access to their data
  3. Right to rectification – organizations must allow individuals to correct mistakes
  4. Right to erase – organizations must delete all information on an individual if requested to (right is not absolute)
  5. Right to restrict processing – if requested, an organization must either suppress an individual’s personal data or cease processing
  6. Right to data portability – an individual can use the information a company collects with another business (e.g. to get a better deal)
  7. Right to object – an organization must cease particular activities if requested (e.g. direct marketing). This right is superseded by legal requirements
  8. Rights related to automatic decision-making – organizations are only allowed to profile individuals with explicit consent (e.g. when entering into a contract)

SGS offers the EuroPrivacy certification scheme to help businesses:

  • Systematically check and demonstrate GDPR compliance
  • Mitigate against legal, financial and reputational risks caused by non-compliance
  • Optimize their data protection
  • Gain easy and fair access to EU/EEA markets
  • Increase stakeholder confidence in their company

SGS offers a comprehensive range of services to help organizations understand and comply with data protection regulations such as GDPR. Our experts can assist in the implementation of compliant practices, helping businesses to protect themselves from the risks associated with data collection and retention.



Your name

Your e-mail

Name receiver

E-mail address receiver

Your message




Sign up