5 min read

GDPR: what is and how does the data protection law of the European Union

GDPR is the acronym for General Data Protection Regulation, a data protection legislation of the European Union.

In practice, it is a set of new rules for the control and processing of personally identifiable information.

Do you know what GDPR is and how it can affect your business? Have you stopped to think that new business models need to be put into practice to fit this new reality?

We will help you to reflect in depth on this.

Keep reading this article to know how GDPR works, how it influences business in Brazil and what you can do to adapt your company to it!

What is GDPR?

In January 2012, the European Commission set out plans for data protection reform across the European Union (EU). The aim was “to make Europe fit for the digital age”.

Almost six years later, in 2018, an agreement was reached on what this involved and how it would be applied. And one of the main components of the reforms is the introduction of the General Regulation on Data Protection (GDPR).

This new EU framework applies to organizations in all member states and has implications for organizations and individuals not only in Europe; also for those who have a business in the European territory or who use and/or share data of that and with that region.

At its core, the GDPR is a new set of rules designed to give EU citizens more control over their personal data; simplify the regulatory framework, so that both citizens and businesses can fully benefit from the digital economy.

The reforms are designed to reflect the world we are living in now and bring laws and obligations – including those involving personal data, privacy and consent.

How GDPR works in practice

Fundamentally, almost every aspect of our lives today revolves around data. From social media companies to banks, retailers and governments.

Almost all the services we use involve the collection and analysis of our personal data. Your name, address, credit card number etc. are data collected, analyzed and, perhaps more importantly, stored by organizations.

Data breaches inevitably happen. Information is lost, stolen, or released into the hands of people in the remotest places on earth – and these people often have malicious intentions.

Under GDPR terms, organizations will not only have to ensure that personal data are collected legally and under strict conditions, but that they manage them in a way that protects them from misuse.

Under this regulation, companies are also formally obligated to respect the rights of users – data owners – or they will face penalties for not doing so.

To whom GDPR applies

The General Data Protection Regulation applies to any organization operating in the EU, as well as to any organizations outside the EU that offer goods or services to customers or companies of that continent.

This means that almost every major corporation in the world needs to be ready not to infringe the GDPR. They need to have a GDPR compliance strategy.

There are two different types of data manipulators to which the legislation applies: ‘processors’ and ‘controllers’. The definitions of each are set out in Article 4 of the RDP. Basically, they are as follows:

  • a controller is “a person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of processing personal data”;
  • the processor is the “person, public authority, agency or another body that processes personal data on behalf of the controller”.  

How GDPR affects Brazilian companies

The impact of GDPR on Brazilian companies is enormous. The regulation permanently modifies how European customer data is collected, stored and used in business.

Therefore, it is fundamental that the Brazilian businesses that act/or want to operate in the European Union know the GDPR in depth.

The fines for not complying with this new regulation are large. They can reach 20 million Euros or, in the case of more serious violations, up to 4% of the total global revenue of the business.

For example, not having sufficient customer consent to process data or violate privacy principles is considered a serious violation.

There is also a tiered approach to fines. The penalty may be 2% for not having records in order and/or not notifying the competent authority and the holder of the information about a violation, for example.

In short, it will become increasingly difficult for national companies, which do not know how to adapt to GDPR to set up their businesses in Europe.

The same holds true for partnerships with organizations in that region – as long as the negotiations involve manipulation of European citizens’ data.

How to prepare your company for GDPR and do business in the European Union

In addition to knowing the GDPR in depth, it will also be necessary to adjust the business model to do or continue doing business in the European Union.

Focus your business on the user

GDPR practically forces organizations to focus more on users. This means creating resources, platforms and methods that give more transparency to transactions and the use of information from customers, suppliers and partners.

The user experience combined with information security, for example, needs to be strengthened. And that goes beyond implementing mechanisms.

More and more people will have to be given the means to manage which data they want to share and which data they do not want to share.    

Use Design Thinking and User-Centrism Strategies

With regard to the methods employed to adapt the business model to GDPR, we recommend two approaches:

Design Thinking

Design Thinking is a structured approach to innovation that has human beings as a focus and seeks to generate solutions that align the desire and needs of the consumer user with the generation of value for the business.

This method works through some principles that are applied in innovation projects for the most varied purposes:

  1. Focus on people;
  2. Multidisciplinary collaboration;
  3. Making ideas and concepts tangible.

In short, it is possible to use Design Thinking in the reformulation or adaptation phase of the business model to fit the GDPR, but also to deal with the new mindset of technology users in the European Union.

→ Go deeper with the Design Thinking and Agile e-book in the context of Digital Transformation!


The term User-Centrism was coined by Rick Levine, Christopher Locke, Doc Searls and David Weinberger in The Cluetrain Manifesto (1999). It refers to the notion that consumers are increasingly monitoring how services are delivered to them, rather than being forcefully managed by suppliers.

By establishing a User-Centrism strategy, you can centralize the user’s self-control mechanisms, as well as increase transparency in data exchange.

One practice that goes into this approach is the so-called API of Me, which is nothing more than the idea of giving the consumer full control over who can access their personal data on the Internet.

With an API with cloud storage, it would be possible to manage data permissions. At the heart of the issue is empowering citizens to mediate transactions about their data, and can even revert to benefits such as discounts, cost savings, and more.


As you have seen throughout this reading, there is a certain challenge for organizations around the world that operate in the European Union. And this is no different from Brazilian companies.

The point is that action needs to be taken as soon as possible to bring it into line with the new regulation, in particular, to get the background needed and be apt for future opportunities.

What did you think of the reflection we brought in this article? Contact us and see how we can help you adapt to GDPR!

New call-to-action