GDPR Compliance


All about GDPR

The amount of data being created, collected, and processed has produced a need for protection. As of May 25, 2018, the new General Data Protection Regulation (GDPR) will come into effect.

The GDPR will directly affect all organizations that process personal data relating to EU citizens and EU residents. It will change how organizations treat the data they hold on individuals and how they collect it.

This regulation will focus heavily on protecting individuals and their data. GDPR will strengthen individual privacy rights and clear up any uncertainty over the consent needed for obtaining and using their personal data.

Key terms

Data Subjects: Any EU citizen or resident, whether they are your customers or employees of your organization.

Personal Data: Any individual’s personally identifiable information. This can be a name, a social media post or even a computer’s IP address.

Data Controller: The entity that collects the personal data (e.g Marketing Department; Sales Department; Human Resources; etc.)

Data Processor: The entity that processes the personal data on behalf of the controller (e.g Cloud service; HR software; Marketing platform; etc.)

Key changes

Territorial Scope: Regardless of where your organization is located, GDPR affects any entity that processes EU citizens’ personal data – regardless of where they are, and EU residents’ data – regardless of where they’re from.

Penalties: Not abiding by the GDPR puts you at risk for substantial financial penalties. The charges vary depending on how seriously you neglect the regulation’s rules, possibly up to 4% of your annual global turnover or £20 Million (whichever is greater).

Breach Notification: It is mandatory to notify customers and any affiliated persons or organizations about data breaches within 72 hours of becoming aware of it.

Right to Access: Customers can request to obtain, free of charge, any and all of their personal data.

Data Portability: Customers have the right to request their personal data in a commonly used and machine-readable format, and have the right to transfer it to another organization.

Right to be Forgotten: Customers can request Data Erasure of their personal information and it must be deleted from your database within 30 days.

Privacy by Design: Organizations should only collect and store data directly relevant to their operation and service. Large-scale organizations are encouraged to retain a Data Protection Officer.

Consents: Terms and conditions and privacy policies, including marketing communications, of your organization cannot have automatic opt-ins, must be easy to read, free of any ‘legalese’, and have a convenient opt-out option.

PayFacto has the following:

  1. Updated all privacy policies, and terms and conditions
  2. Continued with the practice of confirmatory opt-ins across all platforms
  3. Created marketing materials for customer education
  4. Made the necessary changes to all front-of-house software and product modules to further comply with GDPR

Recommended steps for GDPR compliance

1) Audit Existing Personal Data: Appraise the personal data that your organization has collected over the years, assess where it came from, its relevance to your operations, and how you use it. Keep only data that is directly relevant to your operations. This purge will lay the foundational ground of your organization’s GDPR compliance.

Most organizations will find that GDPR applies most significantly in Marketing, Sales, and HR departments. If you export personal data to a data processor such as a marketing service or online HR software, review your contracts and ensure that they, too, are GDPR-compliant. You, as a data controller, remain liable for any GDPR breaches.

2) Publicize How You Process Data: Modify and update your privacy policies, and terms and conditions. Inform your data subjects about exactly what personal data you are collecting, why, and what you plan to do with it.

Inform them also of their Right to Access, Right to be Forgotten, and their right to Data Portability. Finally, inform of the above in plain, simple language; do not use ‘legalese’.

3) Gear up Personal Data for Change: Ready your organization’s databases for potential upcoming individuals’ requests for personal data correction, erasure (Right to be Forgotten), procurement (Right to Access), and transmission (Data Portability). Personal data records collected by your organization must be ready for all these cases within one month from the initial request.

What are the benefits

Creating Trust: With increasing amounts of data currently being stored across the internet, consumers are becoming warier of giving out their information for fear of misuse. A key factor to the GDPR is being clear and transparent with your customers on the information you store and why – this can help build brand confidence.

Improving the Quality of Your Database: Just as in any good restaurant the quality of the food is important, so too is the quality of your data. As the GDPR will result in you routinely sanitizing your database, venues could benefit from higher open rates, clicks, and conversions resulting from their communications.

Staying Relevant: Customers now have the increased ability to control the content they consume and it’s now much easier for them to stop interacting with you by unsubscribing from mailing lists or deleting their data. This means brands will need to create better content to retain customers and keep them engaged and interacting with them. It’s always good to look ahead and improve your existing processes so you can get ahead of your competitors.


Any questions about GDPR? contact us at


This webpage provides general guidance only and is not a comprehensive statement of the law.