All about the RGPD: Reasons, issues and implications

August 19, 2022
The General Data Protection Regulation (GDPR) provides a framework for the processing and circulation of personal data


The General Data Protection Regulation ( GDPR) provides a framework for the processing and circulation of personal data on the territory of the European Union, and this since May 25, 2018. Other reinforcements have been made on April 1, 2021, particularly concerning intermediaries such as tracers and cookies.

As soon as an EU citizen is affected, the GDPR applies, regardless of the country in which the company that is processing the data is located. As soon as the company has an activity in Europe, it is affected.

To understand what the RGPD is, it is necessary to know what is behind the notion of personal data.

Personal data is information relating to a natural person. It can be information such as name and surname, but also a customer number, a telephone number, information on physical, genetic, psychological, social, economic, biometric characteristics etc.

Thus, any information held about an individual is personal data.

It is the processing of this data that the RGPD regulates.

Data processing is an operation (or several operations) performed on this personal data (collection, transmission, consultation, modification etc.). The data processing must be legitimate with regard to your professional activity and for a specific purpose.

This regulation therefore harmonizes the rules in Europe regarding data protection in order to have a single legal framework that applies to all member states.

In this way, European companies are on an equal footing when it comes to managing customer data, and the user is protected from malicious use.

As a result, the RGPD allows professionals to develop their digital activities in the European Union based on the trust of users.


The RGPD is the regulation that adapts to technological and societal changes.  

The use of digital technology, the development of online businesses, and many other advances are therefore at the origin of the adoption of these measures.

The primary objective of the GDPR is to protect customers and their data.

To do this, the GDPR is based on 4 principles:

  1. Consent
  2. Transparency
  3. The rights
  4. The responsibility

As for consent, companies must now obtain it clearly, explicitly (positively), and in writing, from their users.

Without it, it will be impossible for them to collect and process personal data, under penalty of legal sanctions in case of control by the CNIL (referent authority on the subject of the RGPD in France).

There are nuances between B2B and B2C on this subject. B2B companies do not need to collect consent as long as the purpose of the collection is respected. However, for solicitation by third parties, consent is required. If the data collected by B2B companies is B2C data, consent is also required.

Regarding transparency, the company must explain to the user in a clear, concise and unambiguous manner, the reason for the collection of data and how it will be processed.

The user has the right to know what is collected and why, in order to accept or not the conditions of the professional.

In this same perspective of protection, the customer becomes again the master of his data and the RGPD gives him new rights:

  • The right of facilitated access: The company responsible for data processing must facilitate the user's access to his personal data within a maximum period of 1 month.
  • The right to data portability: The individual has the right to retrieve his or her data in an easily transposable and reusable format for transfer to a third party. This is what happens when a person moves from one social network to another by transferring their data.
  • The right to be forgotten: This is where the biggest breakthrough concerning personal data and their processing takes place. A person can ask the company responsible for the data to delete it, and this within 1 month instead of 2. This also applies to all copies of the data.

Finally, the last reason and the last pillar of these measures, lies in the responsibility of the company. The idea of this regulation is not to restrain companies, but only to put in place measures to avoid fraudulent or malicious use of the data collected.

This notion is illustrated through :

  • Documentation: Companies are required to demonstrate compliance with the new regulation through documentation of measures and procedures for the protection of sensitive personal data.
  • Strengthening security measures: Companies are responsible for the protection of this data and its confidentiality. They must implement anonymization measures and perform penetration tests to guarantee the security of the data held.
  • Supervision of subcontractors: This measure makes the company holding the data (thus the client company of the subcontractor(s)) co-responsible in case of a leak or other problem with the data. They must therefore ensure that the subcontractors they work with have sufficient guarantees for data protection.
  • Notification in the event of a breach: In the event of a breach, hacking, or other, the company must inform the CNIL within 72 hours, but also the persons concerned if the breach involves a risk for the rights and freedoms of individuals. It is in this context that the Assistance Publique des Hôpitaux de Paris had to inform the vaccinated persons whose information had recently leaked.
  • Appointment of a Data Protection Officer : The company will have to appoint a person whose role will be to ensure the company's compliance with the RGPD and to drive data governance.

Companies are therefore made accountable. The goal behind this is to avoid a new affair like the Cambridge Analytica Gate where, during Donald Trump's presidential campaign in 2016, tens of millions of users' data were analyzed without their knowledge.


The fact that users now have the choice to opt-out of data collection and processing on sites, for example, has a negative impact on acquisition campaigns. Often based on actions taken by prospects, if they refuse to allow you to collect this data, you lose information that previously gave you indications on the actions to take to acquire new customers.

According to the Journal du Net, the share of refusals via cookie banners would be 30 to 40%, since the implementation of the new RGPD rules (April 1, 2021).

Google is developing the Google Consent Mode to better address these refusals. This tool simulates the path taken by a person who has refused a cookie in order to feed the algorithms with data based on real behavior. This artificial intelligence is still in beta test but is already massively used.

As for Facebook, it no longer decides to go through tracers such as cookies but via servers.

But what solutions can be developed at the company level?

Well, to start with, try to maximize consent by designing and optimizing your cookie banner. This can be done for example by playing on the colors, the psychology and by giving explanations on why the acceptance would be beneficial to the user.

On the other hand, we know that cookies are on the end since they are destined to disappear very soon. Google Chrome has announced that it will stop using them by 2022. So, this is the end of the hyper individualization of marketing. New ways of working will have to emerge and be put in place. Contextual marketing, with inbound marketing and SEO, will have to take center stage.

Indeed, this content creation strategy aims to draw your prospects' attention to your expertise and your value proposition. In this strategy, it is the prospect who, independently, becomes interested in you and comes to you for information. It is quite natural that this individual interested in your solutions or products will give you consent for their data. Moreover, with inbound marketing, you are sure to have quality and qualified leads since they will have come to you by themselves, translating a willingness to advance in your sales tunnel.

Regarding email prospecting, the CNIL assures that the RGPD does not change the rules for either B2B or B2C companies, as long as the subject of the solicitation is related to the professional activity of the person being solicited.

In the event that the RGPD is not complied with, companies can be fined up to 20 million euros, or 4% of worldwide turnover. The higher of these two calculation methods will be used.