The General Data Protection Regulation (“GDPR”) was formally adopted by the European Union in April 2016 and came into force on May 24, 2016. There is a two-year transition period, so it will effectively apply May 25, 2018. To put it simply, there is no turning back, the clock is ticking. You might think this is more than enough (especially if you buy a magical software that will make you compliant), but for me it will be a last-minute success, if you start now.

Why should you care about GDPR?

I can give you plenty of reasons. In the worst case, you can be fined $20 million or up to 4% of your annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Scope of GDPR

GDPR aims to protect the personal data of all EU Citizens, no matter where in the world it is being processed. Under GDPR we, people, are known as Data Subjects.

GDPR has global impact – do not think this is for European companies only

If you are a company based in the EU, you need to comply. If you are a company based outside of the EU and have EU customers, you need to comply.

Companies within GDPR

There will be two options:

  • Data Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
  • Data Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…”

Key Points in GDPR

  • Consent – Valid consent must be explicit for data collected
  • Pseudonymization – The GDPR refers to pseudonymization as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymization is encryption. So, in short, encryption of data will be a must.
  • Data breaches – reported to the proper authority within 72 hours.
  • Right to erasure – per person’s request all data related must be deleted.
  • Data portability – per person’s request it shall be possible to transfer their personal data from one electronic processing system to and into another.

Sounds very technical so far, right? Encryption, Data migration and Erasure, but it is not. It affects the whole company, all services and processes.

  • Data protection by Design and by Default – data protection is designed into the development of business processes for products and services. Mechanisms should be implemented to ensure that personal data is only processed when necessary for each specific purpose.

The Right to be Informed

You must be told what data is being collected, for what purpose, what is the Legal Basis that is allowing collection, how long it will be kept for, what types of companies will receive the data and which countries the data is being kept or sent to.

You also need to be provided the contact details of the Data Protection Officer (see below) and be told how you can withdraw Consent.

Data protection officer (DPO)

If a company meets certain conditions, then they need to appoint a DPO:

Process Personal Data on a large scale

Public Authority

Process Sensitive Data (see below)

This role will ensure that all GDPR regulations are met, will be the point of contact for GDPR processes such as Subject Access Requests, however will not be responsible for executing these processes. The DPO role can be shared across a group, be outsourced or be appointed even if the above conditions do not apply.

Legal Basis

Data must be processed lawfully and be collected based on:

  • Consent – Consent is given for the defined purposes at the time of data collection.
  • Contract – Specific data is required to fulfill contractual obligations.
  • Legal – There are overriding legal reasons for collecting the data.
  • Vital Interest – Where it is necessary, in the Vital Interest of the Data Subject.
  • Public Interest – Can be used by public authorities or private companies acting in the public interest.
  • Legitimate Interest – Covers actions where Consent is not in place, however to enable the Company to act in their own interest they need to share specific and accurate data to a third party.

These points are most valid if you deal with sensitive data (see below).

Sensitive Data

However, if you are collecting any of the data that is deemed sensitive, you must meet one of the Legal Basis categories above. What is sensitive data:

  • Racial
  • Ethnic
  • Political
  • Religious
  • Philosophical
  • Trade Union
  • Genetic
  • Biometric
  • Health
  • Sexual

The main point I want to stress in the end is that with GDPR in place the personal data is now really personal, so the companies are mere processors and controllers of this data. The people will need to be respected, because if they are not, big penalties will be applied.

If you want to know more, please contact me at


Tell me your thoughts in the comments and let’s open a dialog. I would be excited to hear other opinions on this topic.

Consider joining our LinkedIn Group to continue this conversation as well - CLICK HERE
We hope you will consider joining our Facebook Community as well.  Click on the image to your left to visit and join, or you can CLICK HERE



Reading this article qualifies you to submit a request for PDU's from PMI.

This Article qualifies as follows:



For more information on registering your PDU's with PMI - CLICK HERE


At Project Management for Today, we encourage conversation; agree with us or disagree with us, it’s all still knowledge, and we are here to share knowledge. Take a moment to add to the conversation by leaving a comment. It’s an opportunity to engage in the conversation!

If you believe in what we are doing, take a minute to share our articles on your social networks such as LinkedIn and other sites. Use the buttons on the left side of the page.

This article features content from a “Contributing Author” to the Project Management for Today Community. This content is published on this site with the author’s explicit permission. As with all articles on this site, this article is protected by copyright. If you are interested in becoming a Contributing Author to this site, you can learn more by reading the information HERE


You may republish this article in whole or in part with attribution to the author and a direct link back to the full article on this site. Attributions MUST include a hyperlink to the original article, as well as a "Canonical Link" reference embedded in the <head> section of the page.
#pmfortoday / #projectmanagement / #pdu / #pmi / #pmo / #pmbok / #pmblog / #pmoblog / #pmp / #pmi-acp / #pgmp


Nikola Gaydarov

Nikola Gaydarov

Contributing Author

Nikola has been in the IT sector for almost 10 years. He started his career in HP Global Delivery Center back in 2007 and since then has been involved in many different roles: technical consultant, operational manager, transition manager and ITSM implementation consultant. During these years he has worked both domestically and in Western Europe.

Designing and improving processes is his passion. Working with the stakeholders to define all roles and responsibilities is where he finds most of the challenges. Proposing solutions and solving those challenges is his biggest reward.

He has started teaching ITIL® since the beginning of 2015 after successfully becoming an ITIL® Expert. Courses that he has successfully delivered are: ITIL® Foundation, ITIL® OSA, ITIL® RCV, ITIL® PPO, ITIL® SOA and ITIL® MALC.

As a consultant Nikola has gained also a lot of practical experience in Project Management. He used this experience to successfully acquire PRINCE2® Practitioner certification.


LinkedIn Profile – CLICK HERE
LinkedIn Group – CLICK HERE
Download My Resume - CLICK HERE

Articles by Nikola Gaydarov – CLICK HERE

Advertisements B