Friend me on FacebookFollow me on Twitter! @Caruanas Follow me on LinkedIn!


Those of you who follow me on Facebook may have seen me vent my frustrations on the GDPR regulations in a 3-liner post last Friday. You may have also noticed (or participated in) the subsequent ruckus which broke out in the comments section of said post. This got me thinking that I should probably write something semi-objective about the GDPR, in case someone still has no clue what on earth GDPR is about (you should).


What is GDPR?

The General Data Protection Regulation (GDPR) is the EU’s new data protection framework, designed to harmonise data privacy laws across the bloc and to increase individuals’ rights and protection. It replaces the 1995 directive and comes into force on 25th May 2018. There will be no grace period.

Does it affect you/your business?

Short answer: a virtual certainty.

Why all the hullabaloo?

Why is this any different than other laws which require changes to a business’ operations?

Besides the fact that conforming to the GDPR requires significant and cumbersome changes which need to be implemented, the big fuss is due to its impracticality, the huge, huge potential fines (up to 20 million Euro or 4% of global revenue, whichever is highest) and, worst of all, its relative unclarity and opacity.

So until very recently, what many have been doing is simply preparing as much as they possibly could, in the hopes of understanding the regulations even better or to be able to learn from others’ experiences in dealing with the necessarily changes.

Now comes the race to actually implement, although if you haven’t started yet you might be a bit too late, or running it close (depending on the complexities of your operations). Either way, most of it feels like a shot in the dark; a best guess. The alternative to this which many are opting for is overkill, just to be safe. Unfortunately, case law (and the initial casualties) will light up the way in a few months' time.

My advice (it’s not very pretty)

The best piece of advice I can give you:
  • read the full regulations (including the recitals). It’s not fun, but essential (link below)
  • read the Article 29 Data Protection Working Party guidelines. So far they seem to offer the clearest and most detailed explanation on this very opaque directive (link below)

I was originally planning on creating a "core principles" cheat sheet for everyone, but a cheat sheet implies brevity and succinctness for which GDPR is completely unsuited due to its complexities.

Also, there are hundreds, if not thousands, of websites offering something like that. Just type “GDPR” in Google and choose your pick. They’re all different flavours of the same thing. Try to find a reputable and impartial website which doesn’t stand to directly benefit off consultancy fees.

Word of warning: A lot of legal and audit/advisory firms are offering free resources with a pinch of scaremongering thrown in. If you plan to engage any such firm, please do be careful and go to someone reputable who is ideally recommended to you by someone you trust. I’ve had a lot of firms approach me directly yet fail to promise to provide anything tangible were I to retain them for their services. Generally, they seem to be recommending that their (non-unique, in my opinion) interpretation of the GDPR should be then taken to (thereby unloading responsibility onto) a 3rd party who would use this to suggest a customised implementation plan for you. So be careful; their reluctance to assume responsibility for their professional (and paid for) advice should, at best, raise a flag.

Useful links

What has your experience with GDPR been? Tweet at me (@caruanas) or join the discussion in my GamesBiz group on Facebook.

Subscribe to my newsletter