Simply put, General Data Protection Regulations (GDPR) is a new/updated regulation within the European Parliament and Council of the European Union (EU). These new regulations were made in regard to the general data protection for consumers. 

The GDPR was adopted by EU’s Parliament in April 2016, but went in to full effect May 25, 2018, replacing the 1995 EU Data Protection Directive. The GDPR also replaced the 1998 UK Data Protection Act. The new GDPR levels, flattens, and standardizes the data protection law for all 28 EU countries, providing no advantage to one company over another. It also creates strict rules on how personally identifiable information (PII) is processed. The GDPR is a regulation and is not a directive, not requiring any legislation to be passed by the government. 

The goal of the GDPR is to give the consumer, not corporations, control of their personal information and data that is shared and streamlined. Consumers can now have full transparency and understanding as to what information companies are storing on them, as well as for what purpose the companies obtain their personal information. 

What is not commonly understood about the GDPR is just how gritty it actually is. The GDPR applies to every organization that holds personal data from EU residents, no matter their specific geographic location—applying to companies both inside and outside of the EU. Personal data includes: 

  • Identification number; 
  • location data; and, 
  • online identifiers. 

If a company offers services or goods to a resident of the EU, it must meet compliances within the GDPR, even if they are not directly located within the EU. 

While some consumers and companies alike may turn a blind-eye to the recent changes and pay it no regard, there are specific components that are necessary to understand. This information will help protect and provide you, the consumer, with more transparency. 

The GDPR includes: 

  • increased fines; 
  • breach notifications; 
  • opt-in consent; and, 
  • responsibility for data outside of the EU. 

Penalties can include a four percent global turnover, or, 20 million euros, whichever may be larger if a company does not comply with the rules. Several large corporations and companies bring in billions every year, so 20 percent could be a catastrophic blow. 

Companies (both controllers and processors) may also receive a fine if their records and findings are not in order, if they do not report a breach within the company under 72 hours, or they do not conduct an initial impact assessment. 

Article 28(1) of the GDPR states that:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

The controllers (entity that determines the purpose of data) must create a technical and organizational plan to implement the new measures. 

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

The processors (entity which processes the data on behalf of the controller) must disclose: 

  • what data is collected on the consumer;
  • the intention for harvesting the data and if any other third-parties also control the data outside the EEA (European Economic Area); and,
  • for how long they (the companies) intended to keep the data. 

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 


Now, GDPR is not as cut and dry as it may initially appear. Within the GDPR, there are two grounds to process personal data that are direct to B2B marketing—consent and legitimate interest. Legitimate interest, or, ‘Correct Marketing to the Correct Person’ ensures the key conditions for relating the interests to a third party are met. 

Within these grounds, companies can continue to use the data they have already obtained for marketing for B2B engagement as long as the appropriate measures are understood and withheld to ensure the data aligns within the campaign. 

Due to the new GDPR limitations, 

  • 1 in 3 B2B marketers are fully expecting their conversion rates to drop;
  • 40% of B2B markets believe their strategy in place will suffer; and, 
  • over 50% of marketers think their mailing lists will significantly shrink. 

In order to not feel the expected effects, 

  • be certain to re-obtain permission from your customers in order to still communicate with your subscribers; 
  • collect new opt-ins through social media, websites, and more; and, 
  • understand you will receive some opt-outs. 

Email marketing is still the preferred method of communication and marketing for B2B/B2C outlets. As always, it is quick, easy, effective, and allows you, the company, to have fast correspondence to your tens of thousands of customers. 

Pro tip: Be certain to update your website’s domain name and email address for fast, easy name recognition. 


Due to the potential consequences, companies such as Instapaper,, and newspapers such as the Chicago Tribune and the Lost Angeles Times began to provide stripped-down versions to their EU consumers. NPR (National Public Radio) and USA Today also began to provide services with limited capabilities. 

As soon as midnight struck on May 25, 2018, Facebook’s subsidiaries Instagram and WhatsApp took a massive blow by being sued for their use of ‘forced consent.’ Google was also fined nearly £44m for not complying within the bounds of the GDPR. 

While these penalties may come across as shocking or harsh, companies have had over two years to prepare for the new guidelines. 


The GDPR is mostly aimed and targeted to impact and affect larger companies. These new regulations will have great impact, but also goes to show that companies are not taking advantage of their loyal customers. 

Richard is an experienced tech journalist and blogger who is passionate about new and emerging technologies. He provides insightful and engaging content for Connection Cafe and is committed to staying up-to-date on the latest trends and developments.