What does GDPR mean?

As of May 25th 2018, the European Union is introducing a new regulation about Data Protection for Individuals, the so-called ‘GDRP’: General Data Protection Regulation.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.

Who for?

If your company is using, storing, saving and/or transmitting any personal data of EU-citizens, you are involved!
This means the GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What do you have to do?

Review your Data Subject Consent
Companies will no longer be able to use long illegible terms and conditions full of legalese.
Request for consent must be unambiguous. It must be given in:

  • an intelligible and easily accessible form
  • the purpose for data processing must be attached to that consent

The consent must be:

  • clear and distinguishable from other matters
  • provided in a intelligible and easily accessible form
  • using clear and plain language

For sensitive personal data ‘Explicit Consent’ is required. Nothing short of “opt in” will suffice.
Appoint a Data Protection Officer (DPO)

DPOs mustbe appointed in the case of:

  • public authorities,
  • organizations that engage in large scale systematic monitoring, or
  • organizations that engage in large scale processing of sensitive personal data (Art. 37).

More info on requirements for appointing a DPO
If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Comply with ‘Privacy By Design’
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Comply with ‘Right to Access’
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Comply with the ‘Right to be Forgotten’
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
Prepare a Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Prepare for Data Portability
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format‘ and have the right to transmit that data to another controller.

How can you do this?


As entrepreneur you are responsible for the data management in your company.
As IT professionals, we at Aztalan can help you on your way to GDPR compliance.

GDPR clearly will have a lot of implications on your entire organization : marketing, sales, purchase, payment collection, HR, … As entrepreneur you have to take all necessary measures to respect this regulation, such as:
Make your employees GDPR-conscious. So they will manage personal data as required.
Adequate internal security management is a must: reliable passwords policy, e-mail & document encryption f.e.
Work with a reliable IT Team or IT supplier. Make sure it is possible to manage laptops and mobiles remotely. Make sure you can manage accounts/access/rights from a central point. Manage access to cloud drives.
Ask your suppliers & customers if they are GDPR-ready.
Note & keep track of all efforts you are producing to improve your IT security.
As your professional ERP supplier, Aztalan can support you on a wide range of services:

Upgrade your software to the last versions and patches. Most software providers are working hard to provide new GDPR-compliant functionalities. For SAP Business One, version 9.3 PL04 is a must.

Make an Inventory of all the EU-citizens, including your employee’s, personal data your company manages. Think about all the departments. You can only use/manage/store/transmit personal data if it’s really needed for your business and you can justify having it. For example: a personal delivery address if you have to deliver orders. If you have non relevant personal data, you should delete that.

Aztalan can help you set up the ERP software to comply with GDPR.


Definitions & Useful Links

Know what it’s about


Personal Data

Every piece of data or group of data connected to an individual, allowing to directly or indirectly (re)identify this person. They are different levels in the sensibility of data. From general information such as a name, a photo, an e-mailadres, a post on social networking websites, to bank coordinates, medical information, a computer IP adres, religion or sexual orientation.

Data Processor/Data Controller

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

Data Subject

A Natural Person


Applicability of GDPR

It will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.

Regulation versus directive 

A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.

Companies will be evaluated a posteriori, on correct data management and appropriate measures taken to protect data and apply GDPR rules.
You will be asked to prove that the measures you took to mitigate risks and avoid any leak of data are efficient. In case of problems or proven inefficiency, penalties are possible up to €20 million.
This is a education portal and the information contained within this portal does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

Your browser is out of date. It has security vulnerabilities and may not display all features on this site and other sites.

Please update your browser using one of modern browsers (Google Chrome, Opera, Firefox, IE 10).