So what is GDPR, and why should your customers care?

We all know GDPR is on the way and, to date, most of the articles have been industry-focused, talking about the affect it will have on companies and organizations that gather, hold and process data. I recently wrote about why DBAs should care about it, and advised that you should start your GDPR journey now by finding out where your data is, what exactly that data is, and who is accessing it.

Soon, however, the wind will start blowing from another direction, that of what the GDPR calls ‘data subjects’. People, individuals, your customers. These ‘data subjects’ will wake up to the rights GDPR grants them and realize they should care about it too.

And they should. Yahoo recently admitted that a data breach four years ago leaked the account details of every one of its three billion customers, not the one billion it initially claimed. The head of the intelligence monitoring service in the UK, GCHQ, said just last week that keeping the UK safe from cyber-attacks is as important as fighting terrorism.

GDPR is introducing new rights at the same time that the threats to data are the biggest they’ve ever been. The more leaks and breaches there are, the more your customers will learn that GDPR grants them six specific rights, and the louder they’ll ask how you’re meeting those obligations.

It’s probably a good idea to understand what those rights are, so that you can explain how you’re meeting them.

The right to privacy

This is the biggest and the most telling. GDPR requires that data protection safeguards are integrated into products and services from the earliest stage of development, with privacy always the default option. Privacy by design will become a legal requirement, and only data absolutely necessary will be allowed to be held and processed.

The right of consent

Organizations will no longer be able to process the personal information of individuals unless they have been freely given a specific, informed and unambiguous indication of consent, either by a statement or by a clear affirmative action. Long terms and conditions worded in complicated legal language will no longer be accepted. Instead, clear and plain language will be required, as well as making it as easy to withdraw consent as it is to give it.

The right of access

This right is all about transparency and means that individuals have the right to be informed when data is collected about them, where from, what it is, and for what purpose. It goes further. A copy of all of the data held also has to be provided, free of charge, on request, in electronic format.

The right to be notified

GDPR requires organizations holding data on individuals to notify them if a data breach is likely to result in a risk to their rights and freedoms. This also has to be done within 72 hours of discovering the breach. This sounds innocuous, but think of what happened to Yahoo, and then try and calculate the cost of notifying millions, possibly billions of customers, in such a short time-frame.

The right to transfer data

GDPR brings portability to data, giving individuals the right to have their data transferred elsewhere in a ‘structured, commonly used, machine-readable and interoperable format’. It doesn’t go further in specifying the format, but it does raise the issue that sectors like banks and utility companies will probably need to agree a common format to avoid confusion.

The right to be forgotten

The big one. From next May, Individuals will have the right to request that their personal data is erased without undue delay, and no longer disseminated or processes by third parties. This is not an unlimited right, but must be balanced against legal freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims. Expect confusion here, and probably a court case or two to establish its boundaries.

Now is a good time to think about the kind of personal data your company or organization processes, and how you’ll answer questions from customers when they become aware of their new rights.

You can find out more about keeping sensitive data secure on Redgate’s Data Privacy and Protection pages.

If you’d like to gain a deeper understanding of the GDPR, you can also read Richard’s other posts on the topic:

So what is GDPR, and why should Database Administrators care?

So what is a Data Protection Impact Assessment and why should organizations care?

So what is data mapping and why is it the key to GDPR compliance?

This blog post was first published on Dataversity on 14 November 2017.

Tools in this post


Deliver GDPR-compliant data to SQL Server teams

Find out more

Share this post.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

Related posts

Also in Blog

Data Masker vNext: Have your say on the future of data masking

Back in 2017 Redgate acquired Net2000, a leading provider of data masking solutions for SQL Server databases. Since then, we’ve invested heavily in the data masking tools to ensure our customers can...

Also in Audit & Compliance

The future of SQL Census

SQL Census is a prototype application designed to help users navigate SQL Server permissions. We launched it in April 2017 to address the growing need for DBAs and other IT professionals to see who ca...

Also about GDPR

Automatic Provisioning of Developer Databases with SQL Provision

The GDPR, and other regulations, requires that we be careful in how we handle sensitive data. One of the easiest ways to avoid a data breach incident, and any accompanying fine, is to limit the sensit...

  • John Mitchell

    “Organizations will no longer be able to process the personal information of individuals unless they have been freely given … consent”

    Richard, this is only true if none of the following applies (I’ve simplified it a little):
    (1) Processing is necessary for the performance of a contract with the individual;
    (2) Processing is necessary for compliance with a legal obligation to which the organisation is subject;
    (3) Processing is necessary to protect the vital interests of the individual or another person;
    (4) Processing is necessary for the performance of a task carried out in the public interest; or
    (5) Processing is necessary for the purpose of legitimate interests pursued by the organisation.

    See Article 6, clause 1 of the GDPR.


  • Sandy Lawrence

    Not to be picky, but in an article titled “So what is GDPR etc.” I’d expect the term GDPR to be defined. If you got here because you were in fact wondering what GDPR is, it stands for General Data Protection Regulation, adopted by the European Union in 2016 and enforceable in 2018. (Nice job on the “why your customers should care” part, though.) 🙂