An overview of GDPR

We recently informed you of SimplePay’s current data protection standards and the steps that we are taking to ensure that we are compliant with the General Data Protection Regulation (GDPR). The GDPR replaces the Data Protection Directive 95/46/EC, effective from 25 May 2018. The following is an overview of some of the changes introduced by GDPR:


  • Increased territorial scope, as GDPR will apply if either the controller, processor or data subject* is in the EU.
  • Penalties of up to €20 Million for organisations in breach of GDPR.
  • Consent is required for the use of personal data and this consent can be withdrawn.
  • Breach notifications are mandatory if a breach in data protection occurs.
  • Increased rights for data subjects to obtain confirmation of whether their data is being processed, where and for what purpose.
  • Increased rights to have personal data erased and any processing of data halted, provided that it does not go against the public interest in having the data available.
  • The right for data subjects to obtain any personal data concerning them, which they may transmit to another controller.
  • Increased requirements for system designs, where data protection should be included from the onset of the design and the design must ensure that data is only held and used if absolutely necessary.
  • Increased record keeping requirements with mandatory appointments of Data Protection Officers for certain types of controllers and processors.



  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • ‘data subject’ means a living individual to whom personal data relates.