GDPR: Who it affects, who must comply, and what you need to know for May 2018


Anyone that works with sensitive information should be aware that a significant change is coming to the privacy & data protection world next year.

(Cue the crescendo of horror movie music that ominously plays as a shadowy figure lurks in the distance.)

This impending change set to completely restructure basic data privacy protocols and most organizations in the US and abroad is known as the GDPR -- or the General Data Protection Regulation. It's coming, ready or not, in May 2018. And chances are, if you're not already in the process of evaluating how it affects your business, you're a bit behind the eight-ball.

Let's catch up quickly with the basics.

What is the GDPR?

The GDPR “is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union.” That definition has such a welcoming ring to it!

Now that you know what it is, you probably have a few questions. Like, how can I prepare? Do I know if I even need to prepare? Here at PactSafe we believe that knowledge and access to information is power, and we’re here to pump you up!


Let's go through the high-level, vital information step by step.

In this blog we will answer the question “who?” to help you understand if the GDPR affects your organization and who the GDPR is seeking to protect.

Who does the GDPR apply to?

  1. Organizations within the EU are affected by the GDPR, and;
  2. All companies processing and holding personal data of EU “data subjects” – Regardless of where the organization is located

You may be reading and thinking “I’m a small business, how could this possibly apply to me?” While you may have less information to collect or store, you are still mandated to comply with the GDPR by simply possessing information about EU citizens.

Gist: If you offer goods or services to, or monitor the behavior of, EU data subjects then you are subjected to the GDPR no matter your organization size.

Who is a data subject?

A data subject is any identifiable natural person who can be identified directly or indirectly through:

  1. Name
  2. Identification number
  3. Location data
  4. Online identifier
  5. One or more factors specific to the:
    1. Physical
    2. Physiological
    3. Genetic
    4. Mental
    5. Economic
    6. Cultural
    7. Social identity of that natural person

Gist: If someone can be identified by the above-listed means AND they live in the EU then their information must be protected.

Pro Tip: Those storing personal information that can be attributed to the data subject can use a process called Pseudonymization which is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information

Be on the lookout for our next post that will explain tricky terms and help those affected by the GDPR understand what is required of them come May 2018!

See how we help with GDPR compliance.

Don’t miss out!

Want the latest news, tips and best practices for high-velocity acceptance? Subscribe to our newsletter.