What matters about GDPR?

Published Date: 16 September 2019

How much is your data worth?

The new oil. The world’s most valuable commodity. The ultimate renewable resource. Some call them marketing shortcuts, but the truth behind these metaphors cannot be questioned. Whether it’s defined as a public good or reduced to a commercial tool, the value of data as a fundamental asset in the digital age is undisputed. And like anything of value, it deserves protection, especially if you think that, after all, data is nothing but people and their personal information. As frustrating as it may be to get cookies notices, privacy policy updates, and pop-up windows asking for your consent whenever entering a new page on the web, it all comes with a purpose! It’s more than a year ago since the EU General Data Protection Regulation, or widely known as GDPR, came into force. It can still seem tricky and it does take time to dive into, but on the flip side it pursues the noble goal of protecting personal data. Was that really needed? You may ask. And it’s a good question, particularly considering the astounding fines it sets (up to 20 million € or 4% of the company’s global annual turnover).


A look at the background context

Companies have been gathering and processing data for decades, regardless of its imminent relevance and without prior specific consent from the subjects such data belonged to. Worsening this, the new technologies have seen an exponential sophistication: artificial intelligence, machine learning, blockchain, increased the ability of sharing information[1]. The data that was once collected and stored in a simple database, is today segmented, analysed and processed by a number of different systems, and chances are that it is consumed on a daily basis while you know very little about it. We are living in the information age, where the internet maps every move of their users and digital records can live forever, requiring proactive ethical decisions about their lifespan. New ways to breaching confidentiality have been created and the public’s concern over privacy started dominating the business sphere. Given all this, maybe the right question should rather be, is the GDPR up to the challenge?


GDPR in 5 points

The legal framework about data protection needed to be updated and harmonized; at the same time, greater power had to be ensured to individuals over the collection and processing of their data. GDPR successfully reached both goals and promoted transparency as prevailing and overarching principle. Its provisions can be summarized as follows:

  1. It applies to all the business that collect or process EU citizens’ data, regardless of the company location
  2. It requires the data processing and storage to be lawful, accurate, relevant and limited to what is strictly necessary
  3. It allows data processing after the consent, that must be freely given, informed, specific and unambiguous – except for established cases such as contract, legal obligation, vital, public or legitimate interest, that justify the processing without consent
  4. It ensures data subjects wider rights (information, access, data portability, rectification, restriction, objection to be profiled or to suffer automated decision-making, erasure)
  5. It introduces the principles of data protection by design and by default


Penneo’s commitment to compliance

Data protection and security are the core areas that inform our business. GDPR has been embedded in our operational systems and our starting point for everything we do is acknowledging our responsibility to protect our customers’ privacy. The digital signature is an essential tool to conveniently capture consent while conforming with the rules laid down for it. At Penneo, we firmly believe that fulfilling GDPR requirements leads to greater results than just avoiding serious penalties since it represents a decisive factor in choosing a company to do business with. In this context, one could say that demonstrating seriousness about compliance might be almost as important as being compliant in the first place. And this is how GDPR turns from a legal burden to a business benefit. Penneo can offer you all this.


Quick check-up for your business

  1. Check the personal data you collect and process:

Which categories of personal data does your business process? Do you have a legal basis to process personal data?

  1. Inform your customers, employees and other individuals when you collect their personal data by clearly stating:

who you are, why you are processing the data, on what legal basis, how long the data will be stored, what their rights are, how consent can be withdrawn (when consent is the legal ground for processing) and information about automated decision-making (if applicable)

  1. Make sure to delete data where it is no longer needed for the purposes you collected it for: if the data refer to your
  • employees, you only need them as long as the employment relationship and related legal obligations last
  • customers, you should not keep them beyond the term of the customer relationship and related legal obligations
  1. Ensure the security of the personal data you hold by limiting the access to your IT system and regularly updating its security settings
  2. Keep detailed records on your data processing activities, explaining what type of personal data you process and why, the storage periods and the description of technical and organizational security measures implemented to protect such data


Trust us for processing your data. You’ll consistently reinforce your privacy management while equipping your business with an auditable and user-friendly means to comply with industry standards and legal obligations. Not only this shows transparency, but it also builds a deep trust to attract and retain customers. And that is always something to smile about!


Visit our Privacy page to learn more about GDPR and how we can help you in the compliance process.


We also suggest clearly signalizing and communicating to your customers and shareholders, the procedures being implemented for compliance and the purpose of these procedures. Not only does this show transparency about security measures taken to be compliant but is also builds a deep trust and attract & retain customers.

[1] “Data protection within new technologies: blockchain”, PwC, 2019