So what is GDPR, and why should your customers care?

Updated November 2018

GDPR is here. Initially the articles leading up to the law were industry-focused, talking about the affect it would have on companies and organizations that gather, hold and process data. I also wrote about why DBAs should care about it, and advised that you should start your GDPR journey beforehand by finding out where your data was, what exactly that data was, and who was accessing it. At the original time of this articles publication there was still 7 months until the GDPR came into effect.

However, now that the law is in place we still must consider what the GDPR calls ‘data subjects’. People, individuals, your customers. These ‘data subjects’ are waking up to the rights GDPR grants them and realizing they should care about it too.

And they should. Yahoo admitted that a data breach five years ago leaked the account details of every one of its three billion customers, not the one billion it initially claimed. The head of the intelligence monitoring service in the UK, GCHQ, said that keeping the UK safe from cyber-attacks is as important as fighting terrorism.

GDPR introduced new rights at the same time that the threats to data were the biggest they had ever been. The more leaks and breaches there are, the more your customers will learn that GDPR grants them six specific rights, and the louder they’ll ask how you’re meeting those obligations.

It’s probably a good idea to understand what those rights are, so that you can explain how you’re meeting them.

The right to privacy

This is the biggest and the most telling. GDPR requires that data protection safeguards are integrated into products and services from the earliest stage of development, with privacy always the default option. Privacy by design has become a legal requirement, and only data absolutely necessary is allowed to be held and processed.

The right of consent

Organizations are no longer be able to process the personal information of individuals unless they have been freely given a specific, informed and unambiguous indication of consent, either by a statement or by a clear affirmative action. Long terms and conditions worded in complicated legal language are no longer be accepted. Instead, clear and plain language is required, as well as making it as easy to withdraw consent as it is to give it.

The right of access

This right is all about transparency and means that individuals have the right to be informed when data is collected about them, where from, what it is, and for what purpose. It goes further. A copy of all of the data held also has to be provided, free of charge, on request, in electronic format.

The right to be notified

GDPR requires organizations holding data on individuals to notify them if a data breach is likely to result in a risk to their rights and freedoms. This also has to be done within 72 hours of discovering the breach. This sounds innocuous, but think of what happened to Yahoo, and then try and calculate the cost of notifying millions, possibly billions of customers, in such a short time-frame.

The right to transfer data

GDPR brings portability to data, giving individuals the right to have their data transferred elsewhere in a ‘structured, commonly used, machine-readable and interoperable format’. It doesn’t go further in specifying the format, but it does raise the issue that sectors like banks and utility companies will probably need to agree a common format to avoid confusion.

The right to be forgotten

The big one. Individuals have the right to request that their personal data is erased without undue delay, and no longer disseminated or processes by third parties. This is not an unlimited right, but must be balanced against legal freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims. Expect confusion here, and probably a court case or two to establish its boundaries.

If you have not done so already, now is a good time to think about the kind of personal data your company or organization processes, and how you’ll answer questions from customers.

You can find out more about keeping sensitive data secure on Redgate’s Protect and Preserve Data page.


If you’d like to gain a deeper understanding of the GDPR, you can also read Richard’s other posts on the topic:

So what is GDPR, and why should Database Administrators care?

So what is a Data Protection Impact Assessment and why should organizations care?

So what is data mapping and why is it the key to GDPR compliance?


This blog post was first published on Dataversity on 14 November 2017.