So what is GDPR, and why should your customers care?

GDPR is here. Initially the articles leading up to the law were industry-focused, talking about the affect it would have on companies and organizations that gather, hold and process data. I also wrote about why DBAs should care about it, and advised that you should start your GDPR journey beforehand by finding out where your data was, what exactly that data was, and who was accessing it. At the original time of this articles publication there was still 7 months until the GDPR came into effect.

However, now that the law is in place we still must consider what the GDPR calls ‘data subjects’. People, individuals, your customers. These ‘data subjects’ are waking up to the rights GDPR grants them and realizing they should care about it too.

And they should. Yahoo admitted that a data breach five years ago leaked the account details of every one of its three billion customers, not the one billion it initially claimed. The head of the intelligence monitoring service in the UK, GCHQ, said that keeping the UK safe from cyber-attacks is as important as fighting terrorism.

GDPR introduced new rights at the same time that the threats to data were the biggest they had ever been. The more leaks and breaches there are, the more your customers will learn that GDPR grants them six specific rights, and the louder they’ll ask how you’re meeting those obligations.

It’s probably a good idea to understand what those rights are, so that you can explain how you’re meeting them.

The right to privacy

This is the biggest and the most telling. GDPR requires that data protection safeguards are integrated into products and services from the earliest stage of development, with privacy always the default option. Privacy by design has become a legal requirement, and only data absolutely necessary is allowed to be held and processed.

The right of consent

Organizations are no longer be able to process the personal information of individuals unless they have been freely given a specific, informed and unambiguous indication of consent, either by a statement or by a clear affirmative action. Long terms and conditions worded in complicated legal language are no longer be accepted. Instead, clear and plain language is required, as well as making it as easy to withdraw consent as it is to give it.

The right of access

This right is all about transparency and means that individuals have the right to be informed when data is collected about them, where from, what it is, and for what purpose. It goes further. A copy of all of the data held also has to be provided, free of charge, on request, in electronic format.

The right to be notified

GDPR requires organizations holding data on individuals to notify them if a data breach is likely to result in a risk to their rights and freedoms. This also has to be done within 72 hours of discovering the breach. This sounds innocuous, but think of what happened to Yahoo, and then try and calculate the cost of notifying millions, possibly billions of customers, in such a short time-frame.

The right to transfer data

GDPR brings portability to data, giving individuals the right to have their data transferred elsewhere in a ‘structured, commonly used, machine-readable and interoperable format’. It doesn’t go further in specifying the format, but it does raise the issue that sectors like banks and utility companies will probably need to agree a common format to avoid confusion.

The right to be forgotten

The big one. Individuals have the right to request that their personal data is erased without undue delay, and no longer disseminated or processes by third parties. This is not an unlimited right, but must be balanced against legal freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims. Expect confusion here, and probably a court case or two to establish its boundaries.

If you have not done so already, now is a good time to think about the kind of personal data your company or organization processes, and how you’ll answer questions from customers.

You can find out more about keeping sensitive data secure on Redgate’s Protect and Preserve Data page.


If you’d like to gain a deeper understanding of the GDPR, you can also read Richard’s other posts on the topic:

So what is GDPR, and why should Database Administrators care?

So what is a Data Protection Impact Assessment and why should organizations care?

So what is data mapping and why is it the key to GDPR compliance?


This blog post was first published on Dataversity on 14 November 2017.

Tools in this post

GDPR

Deliver GDPR-compliant data to SQL Server teams

Find out more

Share this post.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter
  • John Mitchell

    “Organizations will no longer be able to process the personal information of individuals unless they have been freely given … consent”

    Richard, this is only true if none of the following applies (I’ve simplified it a little):
    (1) Processing is necessary for the performance of a contract with the individual;
    (2) Processing is necessary for compliance with a legal obligation to which the organisation is subject;
    (3) Processing is necessary to protect the vital interests of the individual or another person;
    (4) Processing is necessary for the performance of a task carried out in the public interest; or
    (5) Processing is necessary for the purpose of legitimate interests pursued by the organisation.

    See Article 6, clause 1 of the GDPR.

    John

  • Sandy Lawrence

    Not to be picky, but in an article titled “So what is GDPR etc.” I’d expect the term GDPR to be defined. If you got here because you were in fact wondering what GDPR is, it stands for General Data Protection Regulation, adopted by the European Union in 2016 and enforceable in 2018. (Nice job on the “why your customers should care” part, though.) 🙂

Related posts

Also in Blog

How Redgate can support you and your community

As I’m sure you’ve already heard, Redgate recently celebrated 20 years of making ingeniously simple software, but did you know that we’ve also been supporting the Microsoft Data Platform communi...

Also in Audit & Compliance

Enter data privacy. Exit SQL Server 2008.

SQL Server 2008 and SQL Server 2008 R2 are out of extended support as of July 2019, but the end of bug fixes, security updates and ongoing support has far-reaching data privacy implications, as James ...

Also about GDPR

Is Google’s $57 million GDPR fine a wakeup call for every IT professional?

Enforcement of the GDPR began in May 2018 and across the EU it seems to have been a relatively quiet period, with few fines handed down for non-compliance. Indeed, most organizations probably think al...