The European General Data Protection Regulation (GDPR) will have a global impact when it goes
into effect on May 25, 2018. While analysts predict that more than 50 percent of companies will
not be in full compliance with its requirements, we strongly believe that the successful journey for
compliance should be more than rule driven conformity.

Through the next chapters we will guide you through the ideas and intentions behind the GDPR,
so you can take them into account when working towards effective data management and digital
transformation strategies.

Introduction

Remember those messages while you filled out your name to create your social media account? Chances are you accepted the “terms and conditions” without giving it a proper read. You think that checking that box doesn’t matter much to you in terms of privacy, but you might have given someone consent to use your personal data for their own gain.

GDPR or the General Data Protection Regulation (Regulation (EU) 2016/679) is a new set
of guidelines that intends to harmonize the current legal framework for data protection
within the European Union (EU). Its main goals are to increase legal certainty, reduce
administrative burden and cost of compliance for organizations and enhance consumers’
confidence. The regulation is currently in a two-year transition period and will officially be
enacted 25 May 2018.

The exact number of unprepared businesses varies according to the survey, but it appears
to be huge. It’s a fact that, to date, most organizations have not addressed their data
protection and privacy risks in a consistent way. GDPR not only makes this essential, but it
also offers the opportunity to take a more business- and customer-centric approach. This
will allow companies to explore how they can manage personal data, help managers make
more informed decisions and create a better experience for their customers.

 

 

1 - The material and territorial scope of personal data

You may be processing more personal information than you think

The GDPR protects “personal data”, but understanding all that it constitutes might come as a surprise to
some. Most organizations might not even understand the actual full scope of personal data they process
daily: the data subjects can be customers, employees, freelancers, suppliers or even partners.

Think about the organization you work for. Do you keep records of customers or prospects? Maybe you
just keep records of your own employees, suppliers or service providers? If your organization is maintaining
personal information in any form, you are going to have to deal with GDPR regulations in one way or
another, because you are considered a “Controller”.

If you receive information from another organization for processing purposes, you are considered a “Processor”. As a rule of thumb, personal data is “any information relating to an identified or identifiable natural person”, including both direct and indirect identification (as defined by the current Data Protection Directive 95/46/EC). Although some information might be immediately recognizable as personal (such as name, identification number or address), others may be a bit controversial (factors related to physical, physiological or mental health, economic or cultural background or social identity).

 

 

The GDPR comes to clear up some of the ambiguities that exist today and even to widen the personal data
concept. For example, the new regulation states that unique online identifiers and location data such as IP
addresses, website cookie-strings and mobile device IDs are considered personal data.

Additionally, the regulation also clarifies the material scope of “processing” as any operation performed
on personal data, such as collection, recording, organization, structuring, storage, adaption, etc. These operations might include complex manual workflows with physical documents or everyday ordinary actions such as exchanging emails.

 

Extending the reach of EU data protection

One of the key changes the GDPR will bring to the existing framework is its extra-territorial applicability. All
companies, regardless of their location, which process personal data of people within the EU or European
Economic Area (EEA), will have to abide by the new rules. On the contrary of US privacy laws, which only
apply to US citizens, the GDPR extends EU dataprotection law to all foreign companies that process the
data of EU residents.

The fact that such a wide number of organizations will fall under the GDPR’s scope suggests a lot of them will
need to step up their game. Failure to comply with the new rules can result in severe penalties, of up to
20 million euro or 4% of annual global revenue - whichever is greater. But beyond rules and obligations, the regulation will also bring compliant companies a competitive advantage over non-compliant companies. Furthermore, adhering to the new rules will not only boost organizations’ customer service quality by placing customers at the center of the relationship, but will also generate positive results in terms of reputation and trust levels.

2 - Becoming accountable: private information inventory

Increased accountability of organizations is one of the backbones of the GDPR. Every business dealing with European citizens’ information – no matter its size or location - will be required to determine – and in most
cases, document - the 5 W’s (Who/Where/What/When/Why) of all the personal data under their control.
Considering the proliferation of data that is daily collected and processed, this is an overwhelming exercise for most companies. In practice, it implies a thorough assessment of each procedure and application throughout all departments, offices and subsidiaries to determine:

  • if any privacy-related information is stored
  • where it is stored (physical archives, digital systems, etc.)
  • if it contains any high-risk or sensitive data
  • what is the legal ground for data processing
  • if explicit permission has been obtained (when based on consent)
  • if the storage duration has been is established
  • who has access to this information
  • if the use of personal information can be easily documented/compiled

This accurate inventory of all personal data sources and processes is a base to understand which measures, organizational changes or systems adjustments will need to be implemented.

3 - Personal data processing: when is it legal?

Until May 2018, organizations should review the basis on which they currently collect and process data to ensure this will continue to be valid under the GDPR. They’ll also need to ensure these legal bases for processing are well documented (for accountability reasons) and communicated. This will mean, for example, to update their current privacy policies and distribute regular privacy notices.
Under the new regulation, there are 6 legitimate reasons for private data processing:

  • Contractual necessity, when personal data is needed to enter into or perform a contract with
    the data subject
  • Compliance with a legal obligation, when the controller has a legal obligation to perform such
    processing
  • Vital interest of the individual or other individuals (e.g. children of the data subject)
  • Public interest or in the exercise of official authority
  • Legitimate interests, except when overridden by fundamental rights and freedoms of the individual (such as the data subject being a child, or obligations of secrecy)
  • Explicit, unambiguous and informed consent of the individual

Previously seen as the foundation for legitimate processing, consent is now seen as a last resort
and placed under heavy restrictions. Under the GDPR, consent cannot be assumed in any way and
organizations are required to obtain explicit and informed consent from individuals before their data may
be processed or stored. This means that the pre-ticked boxes on a website form will no longer be accepted as
a form of consent.

Neither will the “opt-out” consent, or any individual’s inaction or failure to answer certain
questions. All questions asking for permission to access, process or store personal information must be clearly
presented. And organizations also need to store the evidence of consent for future reference.

With all these onerous obligations, it might be hard for data controllers to demonstrate a valid consent for the
use of personal information. Moreover, once obtained, consent can be withdrawn at any time under the right to erasure or the right to restrict its use.

4 - Respecting the enhanced individual rights

Besides accountability and transparency, the individuals and their rights underpin all of the GDPR principles.
The new regulation gives back to the individuals the control of their personal data, creating new personal
rights and refreshing some of the already existing.

  1. The right to be informed
  2. The right of access
  3. The right to rectification (correct or update)
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling


Organizations will need to take all these rights into account when defining the processes and preparing its
systems to compliance. Existing privacy policies should be revised in order to explain privacy commitments
in an unambiguous, clear, intelligible and accessible way. More importantly, every company needs to be
prepared for handling and documenting requests from individuals wanting to exercise those rights within
the required short timelines. This will mean setting up internal workflows and automated reports to allow
immediate access for data rectification, completion, restriction or erasure.

However, some of these rights might be limited by the aforementioned legal grounds (see previous topic). As
an example, although under the “right to be forgotten” personal details must be erased when requested by
the data subject; this request could be denied when there is a legal obligation of the Controller to maintain
this information. In that case, it is advised to maintain the evidence of the whole procedure, so accountability
can be proved upon request. Likewise, an individual can see his objection request denied by a contractual
obligation that proves the Controller has legitimate grounds for the processing.

 

5 - Embedding Compliance: GDPR's privacy engineering

One of the key transformations brought by the GDPR is to place data protection at the core of all businesses’ systems and processes: privacy by design. As Wikipedia describes it, it is “not about data protection” but rather “designing so data doesn’t need protection”. It’s clear that before May 2018 companies need to ensure
their systems and applications will fit to the new privacy rights and obligations. But from then on, an additional requirement will impact the R&D and IT departments.

The main idea is to stimulate privacy as a default rule in product development and minimize the need to recognize or identify users from the product or service’s initial design. Privacy Impact Assessments (PIAs) are an integral part of the privacy by design approach. PIAs are a tool used to identify and reduce the privacy risks of projects or activities - they can help you reduce the risks of harm to individuals through the misuse of their
personal information or even to design more efficient and effective processes for handling personal data. The
core principles of the PIA process can be integrated within other existing projects and risk management
policies to reduce the resources necessary to conduct the assessment and spread awareness of privacy
throughout your organization.

Activities in the areas of enterprise content and digital experience immediately come to mind as critical to
be analysed. Moreover, document management, case management and Business Process Management
(BPM) tools contain large volumes of employees’, suppliers’ and other partners’ personal information.
The privacy by design approach will have a visible impact on Enterprise Content Management (ECM)
and collaboration areas. Traditionally, in the name of transparency and team productivity, business
information managed through ECM platforms is open to everyone in the company. In the future, security
models will have to be pre-defined to ensure your entire system is properly mapped, meeting access needs and restrictions. Companies might need to convert from an “open by default” to a “restricted by default” security approach.

On the other side, organizations need to not only ensure their digital infrastructure is compliant but also need
to be prepared to adjust their customer experience strategy and marketing automation tools and practices
to the privacy by design framework. This translates into an ongoing compliance strategy that includes,
amongst others, pseudonymization and anonymization techniques, express personalization consent and
automated data erasure. Failure on this will come at the price of the potential aforementioned penalties and at the expense of added resources to solve issues and deal with the consequences. Indirectly, non-compliant businesses may also be jeopardizing their brand reputation, their customers’ loyalty and their positioning in the European market.

6 - Data minimization vs value maximization

Data has been on top of business priorities, with “data maximization” emerging as a standard practice for most organizations. With the increasing acknowledgement of its value for decision-making support across all corporate operations, organizations try to collect as much information as possible, from all existing sources, about their customers, partners and relevant audiences. Several organizations gather personal information to draw conclusions about their audiences and act in response to those results, such as market segmentation, price differentiation, and so on.
The new “data minimization” principle in the GDPR poses a major challenge for organizations. Companies will now be required to:

  • collect the smallest possible amount of personal
    data
  • store it for the shortest possible period of time
  • ensure it is accessed strictly by only those who
    really need it
  • limit its use to the purpose specified to the data
    subject
  • delete it as soon as it has served its purpose

This means that companies whose marketing teams are already familiar with the use of customers’ insights for personalization and user experience optimization will need to revise their practices and find a proper balance with the new privacy concerns. Human resources departments will also be impacted, as they typically collect and store information not only of employees but also from candidates who apply for recruitment processes.

With impending compliance obligations under the GDPR, organizations will need to ensure ongoing authorized use of all these data across departments and business areas. This might mean to establish
and verify retention periods based on the type of data processed, the purpose of processing or other factors,
such as the requirements of their specific business, the data types and the different categories of data subjects (e.g. employees, customers, prospects, partners, etc.).

 

The secret will be to understand how to protect privacy without reducing the level of accuracy and to maximize the value of your data under the principle of data minimization. With the proper support and some training, companies will be able to ensure the use of their users’ insights while meeting the new requirements. As an example, anonymization and pseudonymization are two valuable techniques that create exceptions to the demanding regulation. By removing any possible link between the personal data and the identifiable person, organizations will be able to collect, process and publish any personal information without restrictions.

7 - Use cases: real-life scenarios

Example 1: Human Resources

Consider the following situation: in an industrial facility a machine operator has informed his HR department that he suffered from a serious heart condition. Naturally, this would fall under the category of personal data and the HR department would not be allowed to disclose this information. However, imagine he was assigned to a new task that requires him to handle heavy equipment. Will the HR department be allowed to disclose this information to the employee’s managers or colleagues? Let’s look back at the legal grounds. The information that is stored by HR is probably related to his contract and access is certainly limited according to data minimization. However, sharing this information could be justified by the vital interests of the employee regarding health and safety.

 

Example 2: Customer Service

Take into account a customer support assistant working for a banking company. Usually these employees have access to all records of insured customers. Would this be in line with the new restrictions? Why should the whole support team have access to all customers’ records, including their superiors, neighbours or even famous people?
In an ideal system all records should be locked, only to be opened to the assistant that accepts a call related
to the case. The telephone number of the calling customer, or the computer who asks the caller to specify the account number, could be the identifier to open the correct records that would only be accessible by the employee answering the phone. This system would also automatically lock down the records within 30 minutes after the call (time-span for any post-call record updates).

 

Example 3: Product Marketing

It is a known fact that insurance companies use customers’ profiles as a basis for their pricing. For example, car insurance premiums are determined based on factors like residence address, gender, age, years without accidents, car type, and more and more with the usage of black boxes to track driving behaviour. The GDPR contains many restrictions on automated data processing and decisions based on “profiling”, which was not regulated under EU law before. With the GDPR, the use of profiling must be communicated much clearer and individuals also have the right to object to any profiling. In this case, the car insurer should provide clear information on the pricing methodology and offer an alternative that doesn’t require the same level of personal information.

8 - How to prepare: 9 steps towards compliance

We strongly believe that a successful GDPR journey should be much more than purely rule driven
compliance. Bureaucratic processes carried out to the letter of the law will only result in resistance
and frustration from employees, partners and even customers. Instead, you should focus on a digitally
sustainable approach, balancing your business priorities with the privacy protection intentions of the
GDPR.
By redesigning or implementing new digital experience, enterprise content and organizational
strategy workflows, you can ensure the GDPR will not only not damage your business goals, but also that
it can turn into a truly competitive advantage, driving long-term sustainable growth.

 

9 - Our approach: the GDPR implementation compass

The GDPR implementation compass provides a good summary for our approach. We propose to set sail in North East direction: follow GDPR according to the spirit of the law, where you will end up in the most effective business processes. When your compass is directed North West (follow GDPR to the letter of the law), you are probably advised by legal advisors only, and will end up with very bureaucratic business processes. From a legal standpoint you will be covered, but your organization will risk the agility and efficiency needed to compete in today’s global markets.

Going South is a risk on its own. By not following the GDPR you’re risking (1) the hefty fines (which, as we’ve seen, can amount to €20 million or 4% or the total worldwide annual turnover) and (2), even worst, you will be putting at risk your customers’ confidence. While it is still unclear how strictly the Data Protection Authorities
(DPAs) will be using fines after 25 May 2018, and whether these fines will be negotiable, some organizations are still evaluating if they are “interesting” enough for the local Data Protection Authority, that a
fine would be placed on their shoulders. However, the second risk has a very direct impact in business revenue. When a customer realizes that you are not compliant with the GDPR guidelines, and their personal information might be at risk, they have the possibility to move away to your competitors. Furthermore, with
the current power of social media, this impact can be intensified very fast, as customers tend to be quite eager to publicly express their dissatisfaction about a service or company. With the added focus of the media on GDPR, this could bring irreversible damage to your company’s reputation. Going South on the GDPR compass should never even be an option.

About Amplexor

Amplexor GDPR Compliance

Amplexor helps organizations worldwide to refocus their data management and digital transformation strategies with a customer-centric approach towards a successful journey to GDPR. We design and implement end-to-end strategies focused on the privacy by design/default vision, information governance and integrated accountability.

Learn more > 

Table of Contents

 Download our free ebook to understand the key changes and how to get your company compliant with the new privacy regulation.


The European General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and has a global impact: it extends EU data protection law to all foreign companies that process personal data of EU residents.

Do you know which principles should be taken into account for effective data management? Is your digital transformation strategy compliant with the new rules? 

Find out the GDPR's potential impact on your business operations and how to address information on customers, employees, freelancers, suppliers or even partners.

Get your free copy now