What you need to know about General Data Protection Regulation (GDPR) Guidelines

… and how to comply without the hassle

First hearing of GDPR, some companies CEOs might say, “Oh well, yet another EU directive that nobody will enforce — we had those in the past — no reason to worry. And even if an individual sues my company for data privacy breach, who cares? We’ll work out a deal and move on.”

Well, far from it! This time it’s different.

What is GDPR?

The aim of the GDPR is to give all EU citizens control over their personal data and to protect them from privacy data breaches. The concepts introduced in regards to enforcement and penalties are a major change compared to previous data protection guidelines.

GDPR applies to all companies processing and holding the personal data of so called “Data Subjects” — the individuals residing in the European Union — regardless of the company’s location and regardless of where the data is actually stored.

A real game-changer is the fact that GDPR is a regulation and not a directive. It’s a regulation that must be applied in its entirety across the EU, while a directive only sets out a goal that all EU countries must achieve.


The penalty scheme for violations will hugely differ from the type of penalties to which companies are accustomed under the EU Directive: for the most serious infringements, up to 4% of annual global turnover or €20 million can be imposed on companies. A major difference is also the fact that local Data Protection Agencies (DPA) are entitled to audit companies and impose a fine whereas previously, individuals had to sue a company for data breaches and go through a potentially long and cumbersome legal process.


Data Controller: A controller is the entity that determines the purposes, conditions and means of the processing of personal data.

Data Processor: The processor is an entity which processes personal data on behalf of the controller.

Data Subject: Any information related to a natural person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Data Subject Rights

The rights of data subjects have been significantly expanded. The aim is to protect every EU citizen’s private data and to force companies to handle their data with care.

The Right to Access

A data subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, where and by whom it is processed and for what purpose. In addition to that, the individual has the right to get a copy in electronic format of the personal data, free of charge.
The Right to be forgotten

The Data Controller must be able to completely erase the personal data of the Data Subject, terminate further distribution of the data and have third parties stop processing the data. The conditions for erasure include data no longer relevant to original purposes for processing, or a data subjects withdrawing consent.

The Right to Data Portability

The right to transmit personal data concerning the Data Subject to another Data Controller and to receive it in a “commonly use and machine readable format”, puts even more pressure on Data Controllers to manage the data in a transparent way.

Privacy by Design

Up until now, the Privacy by Design concept has not been part of legal requirements. With the GDPR, this changes and companies have to support data protection from the onset of designing their systems, rather including it as an addition.

These are only a few aspects of GDPR and there is much more to it. Here’s how we can help you.

How can Matterial help you comply with GDPR?

A paper-based document workflow is not only expensive, complicated and error-prone, but also a major problem when it comes to the principles described in the GDPR. It is almost impossible to meet the requirements regarding data security, transparency and data access without spending a huge amount of money and resources.

Matterial’s powerful document management system uses a technology that was designed from scratch to meet the strictest requirements of data security. The Privacy by Design concept has always been the top priority when designing the core engine of the software.

Data Storage and security — what it boils down to

A document management and workflow system stores a large number of documents, each of them potentially containing personal information of Data Subjects. Due to the fact that these documents are being processed using digital workflows, which might collect additional information of the Data Subject, it becomes even more complicated to keep everything together and to prevent data breaching. In order to avoid data fragmentation and limit access to the data only to authorized personnel, the core storage technology must support the concept of “keeping it all together”. These databases are well-known Relational Databases, which means that they are potential subjects to attacks.

The responsibility of documentation for GDPR

Matterial helps you comply with the GDPR guidelines by providing a fast and comprehensive documentation system that runs securely in the cloud and is accessible from anywhere.

Most importantly, it helps document the process to become GDPR compliant. Because those companies are most compliant in the eyes of regulators that provide proof of having started to document their efforts — not those that have actually implemented some of them.

Designed to be private

Matterial is built on the principle of “Privacy by Design”. This means that it’s built with keeping privacy in account in every step of the engineering process. Not only is it secure and user data is protected, it’s designed so data doesn’t need protection, which is even more privacy friendly.

The documentation process

Matterial guides and supports your documentation process. Because of its intentional lack of folder structures and hierarchies, it can scale almost infinitely while still providing the essential tools to record and find information and specific data. Its technology for storing documents ensures that they’re still accessible decades from now.

With the multilingual, version-controlled documents, you’ll have a single source of truth for all your documentation and you can keep all in one place while collaborating with your colleagues.

As legislation and regulation are subject to change, the Matterial Knowledge Management helps you keep track of how to respond efficiently. Also, it makes it easy to inform the relevant people whenever parts of the documentation change. Most importantly, Matterial is a way to record information fast and then make it available and transparent, not only to your collaborators, but also to authorities.

The time to act is now. If you have any questions or need help, talk to us.