Book a demo
GDPR explained: Key insights

GDPR explained: Key insights

Duncan Hendy
Duncan Hendy
GDPR explained: Key insights

We’ve come quite far in our GDPR story since we started our series of blog posts in July. We have addressed quite a few key points that you need to be aware of, as well as looking at how you can start to solve them. So, as the last Tuesday blog post of this year, I thought it would be good to recap on some of those main critical issues again.

Readers of this series are likely familiar with the basics of GDPR. However, for those new to the topic, here’s a concise refresher.

The General Data Protection Regulation (GDPR) is an EU regulation that took effect on May 25, 2018, establishing a unified approach to data protection. It applies to any company that offers goods or services to, or monitors the behavior of, EU data subjects—regardless of where the company is based.

Non-compliance can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher.

How much of a shakeup is GDPR?

Every company is different. You likely already know whether you handle standard or sensitive data and how central it is to your business. If any uncertainties remain, a thorough data audit can help map your data and assess accessibility.

From there, consider implementing mechanisms to improve access to specific data and identify whether someone in your organization can lead this effort. Taking these initial steps is crucial for achieving GDPR compliance.

We are a digital agency. who has responsibility, the client or us, and where?

When handling existing contracts that define how client data can be used, digital agencies—typically acting as data processors—must carefully review the instructions they follow. Under GDPR, any data breaches or compliance violations must be reported within three days.

This is where agencies can provide real value to clients. By ensuring data controllers avoid non-compliant actions—such as sending newsletters to recipients who haven’t explicitly opted in—they help mitigate risks and potential fines.

As data processors, agencies are also responsible for implementing robust measures to prevent data breaches and uphold the rights of data subjects.

How does this affect content management?

A content management system (CMS) plays a crucial role in GDPR compliance, as it directly impacts how personal data is handled. Easily accessible consent records and well-mapped data flows are essential for proving compliance, making a GDPR-ready CMS a vital part of your tech stack.

Ignorance of the law is no excuse—GDPR compliance requires clear, provable consent, especially for activities like sending newsletters or running marketing automation.

Your CMS should also support the rights GDPR protects. For instance, if a data subject requests a copy of their personal data, you must provide it within 30 days. Additionally, they have the right to receive their data in a format that allows easy transfer to another CMS if they choose to move it elsewhere.

What other rights does GDPR cover?

GDPR was designed to protect individuals' rights by establishing a uniform set of rules for all companies subject to its regulations.

It replaces inconsistent and often ambiguous guidelines, requiring businesses to handle data more responsibly. In the long run, this not only ensures compliance but also enhances data accessibility and overall usefulness.

Individuals will have many rights under GDPR, but the main ones are:

  • Data portability: Data subjects have the right to request all personal data a company holds about them in a format that allows easy transfer to another service. This ensures greater control over personal information and promotes transparency in data handling.
  • Notification rights: Individuals must be informed when and how their data is being processed and used.
  • The right to be forgotten: Data subjects can demand that all data that is held about them be erased. If this data is also shared in other locations, such as a CRM or to a subcontractor, this data must also be deleted. Of course, there are circumstances where the right to be forgotten cannot be carried out, such as public interest. 

What about non-EU companies?

GDPR responsibilities of EU-based companies should be pretty clear by now, and there is no excuse for not being fully compliant. For those companies not located within the EU, it can be a more confusing concept to get your head around. So, I will recap on the main points about applicability to state more specifically those companies to which GDPR applies.

Here's a couple of scenarios: 

  1. If you're an Australian company selling goods online exclusively within your region and only using local currencies, GDPR likely won’t apply to you. However, if your store displays prices in EU-based currencies, this signals an intent to sell to EU customers, making you subject to GDPR—even if payments are restricted to AUD. Likewise, offering order fulfillment within the EU also brings your business under GDPR regulations.
  2. Even if your business is based outside the EU, GDPR may still apply. For example, if you're a U.S. hotel in Memphis using website analytics to track visitor behavior and offering tailored travel plans for overseas guests, you may be subject to GDPR. Monitoring the behavior of EU visitors—whether through analytics, cookies, or personalized recommendations—brings your business under GDPR regulations, regardless of your location.

Beyond tracking EU visitors, certain website features can indicate intent to serve EU customers—bringing your business under GDPR. These include:

  • Offering EU language options or EU-specific domain variants
  • Allowing users to select an EU international dialing code in online forms

Even without direct sales, these factors demonstrate an engagement with EU data subjects, requiring GDPR compliance.

Achieve GDPR Compliance with Your CMS

Xperience by Kentico simplifies GDPR compliance with advanced security and data protection features. Our SOC 2 Type II certification ensures strong security controls, while encryption, role-based access control (RBAC), and multi-factor authentication (MFA) safeguard customer data.

Our platform includes built-in consent management tools and supports key GDPR requirements such as the right to be forgotten and data portability. Businesses can securely store and manage personal data in Microsoft Azure’s global data centers, ensuring compliance with regional data laws.

With continuous security updates and monitoring, Xperience by Kentico helps organizations maintain high security standards while staying ahead of evolving regulations.

Note: This blog post was updated in February 2025. 

DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.

Download our free ebook, Meet Xperience by Kentico, and discover how a CMS with built-in digital marketing features can help you build trust with your customers. 

Cookie consent

We use necessary cookies to run our website and improve your experience while browsing to provide you with relevant information in your searches on our and other websites. The additional cookies are only used with your consent. With your consent, we may also transmit certain personal data to marketing platforms for targeted marketing purposes.

Configure