General Data Protection Regulation (GDPR)The Expectations vs. Realities of GDPR

October 26, 2022 | 16 min read

General Data Protection Regulation

In a Nutshell

Five years after implementation, has GDPR benefited — or hindered — your business? This article will explain everything you need to know about the EU’s General Data Protection Regulation from what it is and what it proposed to do, to the stark realities merchants have been saddled with instead.

What Effect Did the General Data Protection Regulation — or GDPR — Really Have on Merchant Operations?

The General Data Protection Regulation, commonly abbreviated as the GDPR, was one of the first global data protection policies. Officials claimed these regulations would “strengthen and unify data protection for individuals within the European Union.” That was before implementation back in 2018, though.

Did the initiative really deliver on that promise? What more could be done?

In order to fully grasp the benefits and pitfalls of GDPR, we should reexamine what it is, its intended purpose, and the unintended problems it might have introduced to the global market.

When Did GDPR Go Into Effect? Who Does it Apply to?

The General Data Protection Regulation is a regulation in data protection and privacy regulation implemented as part of EU law on May 25, 2018.

The GDPR applies throughout the European Union and the European Economic Area. The ruleset is an important component of EU privacy law and human rights law, particularly Article 8 of the Charter of Fundamental Rights of the European Union.

GDPR was revolutionary in the sense that it was the first effort to extend EU data protection laws to international businesses. Both local and international businesses that sell to EU customers were impacted by the regulation. Any company that controls or processes personal data of EU residents is subject to the law.

What Purpose Does GDPR Serve?

In short: the objective is simply to protect the privacy of consumers and keep their data safe.

Obviously, it’s not the intent of most businesses to use consumer data in a nefarious or irresponsible way. Regardless, the GDPR was implemented in response to consumer concerns about how businesses use and retain that data.

Those concerns weren’t unfounded. 88% of UK companies suffered breaches between 2019 and 2020. The figure rose to 90% in Italy, 92% in Germany, and a whopping 94% in France, the concern is definitely warranted. Indeed, according to international insurance group Hiscox, one small business is successfully hacked in the UK every nine seconds. 

The purpose of GDPR was to increase and mandate consumer protections in the EU and abroad. The legislation broadened and diversified the definitions and utility of privacy terminology.

GDPR Affects Anyone Who Does Business in the EU

If you sell goods or services to anyone that resides within, or is a citizen of the EU, then GDPR applies to you. This is true regardless of your location. So, even tech companies in the US could be subject to the law if they might track, analyze, and market to EU citizens. So, the only way to opt-out of General Data Protection Regulation is to refuse to do business in the EU.

Businesses are required to procure and prove that they have invested in technology that will detect data breaches and allow for disclosure within 72 hours. Failure to comply with GDPR rules like this could be extremely costly.

Make sure you're never caught off guard by legal and policy changes.REQUEST A DEMO

An inability to establish this effective “privacy by design” structure will result in severe consequences. Fines of up to €20 million or 4% of annual worldwide turnover (whichever is greater) could be assessed.

Businesses must consistently demonstrate that they are doing more than complying with the letter of the law regarding GDPR rules. They must also actively innovate and implement new data solutions that protect consumers.

This doesn’t necessarily seem like a bad thing, at least from the outside. But, as most merchants will already know, it can become an expensive and time-consuming process. 

Key Policy Changes Imposed by GDPR

As mentioned above, EU policymakers created GDPR regulations to standardize and improve consumer protections. It was also to broader consumer understanding of — and agency over — their own data.

The law redefined much of the terminology concerning the mining, storage, and processing of consumer information and privacy to achieve this goal. These changes include:

Personal Data

The definition of personal data was broadened to describe any information relating to an identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, ID number, location data, or online identifiers. It also applies to the identity of an individual based on factors including:

  • physiology
  • genetics
  • mental health
  • economic class
  • culture
  • social identity

Businesses must secure customer consent before using personal information in any way other than the exact purpose for which it was originally agreed. They must reveal exactly how the information will be used. This consent is retroactive, applying also to data acquired before the law’s enactment.

Consumers must actively opt-in, and consent cannot be implied. Businesses must be able to prove consent was obtained, and language must be easy-to-understand so that consumers can make an informed decision.

Right to Erasure

The next significant policy nuance is the right to erasure, or the “right to be forgotten.”

The GDPR stipulates that data can’t be held longer than necessary. The business also can’t change the use of data from the purpose for which it was originally collected, and consumers can request that their personal information be removed from the business’s database at any time.

Companies' must know exactly where every instance of personal data is located so it can promptly and effectively be removed. This could be an issue, as 78% of CIOs acknowledge that it is difficult to pinpoint exactly where data is stored.

Privacy by Design

Lastly, organizations must operate within ‘privacy by design’ parameters. Adherence to privacy regulations must be integrated into the very functionality of systems and technologies, with default privacy settings set at a very high level.

Part of this stipulation includes the appointment of a data protection officer; a requirement for approximately 30,000 EU businesses. Previous privacy laws applied based on the business’s size were replaced with assessments based on data usage.

The 7 Principles of GDPR 

Article 5.1-2 of the General Data Protection Regulation lays out the seven principles the GDPR aspires to address. These are as follows:

1 | Lawful, Fair, and Transparent

Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

2 | Of Limited Purpose

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.

3 | Data is Minimized

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

4 | Accuracy

Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

5 | Storage Limitation

Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest; i.e. scientific or historical research purposes or statistical purposes in accordance with Article 89(1).This will be subject to the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.

6 | Confidential Integrity

Personal data shall be processed in a manner that ensures appropriate security of the personal data. Examples include protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

7 | Accountability

Finally, the controller shall be responsible for, and be able to demonstrate compliance with, all the other principles outlined above.

These seven principles are meant to ensure that individuals have the right to refuse the use of their data for privacy purposes. They also have the right to restrict businesses from obtaining or using this information without consent. 

Does GDPR Deliver on Expectations?

Love it or hate it, the General Data Protection Regulation did increase protections for EU consumers pretty much across the board. In this way, yes, it does deliver on its central promise.

From this standpoint, GDPR is an overwhelming success. It has elevated consumer trust and confidence, improved transparency between merchants and consumers, increased competition between companies, and helped mandate necessary fraud precautions that affect everyone. 

Despite all of this, many merchants feel GDPR has fallen short of the marks. It has not streamlined regulation in their view; indeed, many merchants claim GDPR remains an infuriating, complex set of rules that fail to provide either benefit in any meaningful way.

Make compliance simple.REQUEST A DEMO

According to, there are glaring enforcement disparities at the national level. These stem from gaps in resources, diverging enforcement traditions, and different interpretations and applications of the 80-page privacy bill.

In a further failure, EU-wide harmonization of the rules has also been an issue. The EU’s executive body simultaneously hails the bill as “an overall success” while admitting that “harmonized and consistent implementation and enforcement of the GDPR across the EU” fail to meet preferred benchmarks. 

So, what’s the deal here? Does GDPR work, or not? The answer, much like the law itself, is dense and complicated. 

Realities of GDPR

Naturally, when the General Data Protection Regulation came into play, every merchant from Florida to Singapore freaked out. Essentially, any business that has customers in the EU region believed the regulations would utterly hamstring their businesses.

They had no idea what compliance would require, how much it would cost, nor how non-compliance might affect them. Add to this a general chafing regarding their inability to opt-out regardless of their size or vertical, and you had a recipe for panic. 

While inconvenient to some, the protections that the GDPR put in place are great for customers. Buyers are generally happy to spend money with companies who hold their best interests at heart. That said, there are a few downsides to GDPR that still affect many merchants today, especially here in the US, where the law is less forward-facing:


Enforcement is a bit of a mess. Protections, regulation, and enforcement are not always equally applied throughout the European Union or abroad. Further issues are introduced at the implementation level. Many countries that do business in and around EU citizens have been slow to adopt the resolution or misunderstand its application altogether. When paired with historically heavy fines, GDPR is far from a streamlined solution.


The complaint here is twofold. First, for businesses that are just now becoming internationally viable, the introductory costs associated with GDPR regulations in Europe can feel like an unnecessary hurdle. Fraud prevention isn’t a cheap endeavor, and the degree to which companies are required to comply can be steep to implement and maintain.

Of secondary issue here are the hefty fines associated with non-compliance mentioned above. When you face the prospect of being liable for losses to the tune of £20 million or 4% of revenue… this is no small concern.

Red Tape

Let’s face it, running a business is already a complex, time-intensive occupation with little room for error or additional headaches. However, since GDPR applies to any and every business that sells and markets to the EU, merchants have no choice but to comply. For businesses in the US and points beyond, the increased number of hoops they were forced to jump through for a foreign law did — and still does — cause concern.

General Data Protection Regulation (GDPR)

False Declines

False declines, a by-product of the increased security and anti-fraud measures mandated by the GDPR, are a bigger problem than fraud itself. You read that right. False declines cost merchants around $443 billion every year… a number significantly higher than losses associated with fraud, at a mere $5.8 billion.

No one is saying GDPR causes false declines per se. However, we are implying that a better balance between regulation and fraud prevention systems must be struck to equalize consumer and merchant protections.

Learn more about false declines

Transparency Required

Some merchants are uncomfortable disclosing their business practices to every consumer who navigates to their website. Despite this concern, merchants are required to ensure consumers remain informed about how and where their data will be used, in accordance with GDPR.

The goal for most merchants is to provide an enjoyable, frictionless shopping experience for their customers. Under GDPR, merchants and retailers are required to not only inform consumers that their data is being tracked and collected, but also provide them with the opportunity to opt-out immediately.

This might not seem like such a big problem at first. However, many consumers click out of websites that feature too many pop-ups or lengthy forms.

However a merchant feels about GDPR, there isn’t much wiggle room when it comes to following the compliance guidelines. Businesses that fail to comply with the rules are in for a rude awakening, as hefty fines and legal action are very real possibilities.

Take Control of Data Protections

GDPR increased, streamlined, and improved consumer data protections by holding merchants accountable for the data they collect and store. That can certainly be considered true for the consumers impacted by these laws. For merchants, though, the law often presents a further complex hurdle to regular business practices. 

However you feel about the regulations, if you intend to do business in the EU, then the General Data Protection Regulation applies to you too. That said, the protections laid out in the GDPR shouldn’t come as a surprise by this point– and what’s more, they shouldn’t feel exclusionary to any business, either. 

Even if you are not yet an international seller, it would be a good idea to stay one step ahead of the game by prepping your business for compliance in advance. The additional benefit to these preparations can also decrease your risk of fraud, increase consumer trust and loyalty, and ensure that your business is future-forward and prepared for any eventuality. 

A few best practices include:

  • Informing consumers about their right to data privacy.
  • Being transparent about your data collection habits.
  • Attaining consent from consumers to use said data.
  • Providing consumers with the ability to opt-out of all data collection.
  • Enhanced brand reputation.

To take this future-forward approach one step further, it is a good idea for merchants to approach fraud prevention with the same amount of forethought. 

Adopt a Multi-Layer Strategy

To remain compliant with GDPR, you will be required to adopt a strong, multi-layered approach to fraud prevention and management. You need to useadvanced tools like AVS, CVV, and geolocation… to name just a few. The more safeguards you have in place and working together, the better. 

Fighting back against fraud isn’t going to be your only concern, though. Although GDPR doesn’t directly impact your rate of chargebacks, your business will be affected by them no matter where in the world you operate. 

Pairing effective fraud and chargeback management together can help your business not only meet the demands laid out in GDPR but could help you exceed them. To make this a reality, having a professional team with industry knowledge and expertise in your corner could be exactly what you’re looking for. 

No one understands this better than the experts at Chargebacks911®. That’s why we offer the most comprehensive chargeback management services and products available. Call us today for your FREE ROI analysis. 


What is the GDPR?

The General Data Protection Regulation (or GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and human rights law, particularly Article 8 of the Charter of Fundamental Rights of the European Union.

What are the 7 principles of GDPR?

The 7 principles of GDPR compliance include: 1) lawfulness, fairness, and transparency; 2) purpose limitation; 3) data minimization; 4) accuracy; 5) storage limitation; 6) integrity and confidentiality (security); and 7) accountability.

What was the main goal of the GDPR?

EU policymakers created GDPR regulations to standardize and improve consumer protections and increase consumer understanding of, and agency over, their own data. To do this, the law redefined much of the terminology concerning the mining, storage, and processing of consumer information and privacy.

Who does GDPR apply to?

If you sell goods or services to anyone that resides within or is a citizen of the EU, then GDPR applies to you, regardless of your location. This means that even tech companies in California, Texas, or Florida are beholden to the law if they operate websites that are available internationally that also track, analyze, and market to EU citizens. Thus, the only way to opt-out of General Data Protection Regulation is to refuse to do business in the EU.

Did the GDPR work?

GDPR did increase protections for EU consumers pretty much across the board. It also ensured that merchants who cater to EU consumers, even overseas, would be beholden to the same standards. From this standpoint, GDPR is an overwhelming success.

However, many merchants feel GDPR fell far short of its proposed benchmarks: namely, streamlined regulation and consistent implementation. Indeed, many merchants claim GDPR remains an infuriatingly complex set of imposed rules that fail to provide either benefit in any meaningful way. 

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form