Wednesday, September 6, 2017

GDPR, more than just a legal thing

GDPR (General Data Protection Regulation) is the 'new' European Union law on data protection of European Citizens.
Considering the digitization of information over the past decades and the increased power of the internet, it should come as no surprise that governments act on behalf of the citizens to protect their privacy.

The GDPR protects EU citizens through a set of rights around personal data with a law violation penalty of up to 4% of the annual global turnover or €20.000.000. This indicates the seriousness of the 'new' law.

The GDPR describes actions and principles which companies must implement, such as:

Data Protection Officer
A Data Protection Officer (DPO) is required for companies processing large amounts or privacy-sensitive personal data. The DPO can be either a staff member or an external service provider, and is responsible to oversee that data protection laws are not violated.

Breach Notification
If (by accident or deliberately) protected personal information is 'leaked', this is to be reported pro-actively within 72 hours to the respective owners of the data (the individuals).

Data Portability
Individuals have the right to request their data to be transported between companies, for instance when they switch telecom or utilities provider.

Right to Access
Individuals have the right to receive the data that has been gathered around such an individual. This concerns both characteristic data on the individual itself as well as records of interaction or other transactional facts.

Right to be Forgotten
Companies should proactively 'forget' (erase) data that is no longer relevant to the original purpose. Individuals also have the right to request a company to 'forget' them. This implies that the information as described in the 'Right to Access' should be erased. This is a tricky one, as other laws might require the company to keep the information. The 'other laws' such as tax laws usually win.

In practice

So much for the theory. In practice, some measurements can be implemented easily, such as assigning the DPO and implementing a process for Breach Notification.
But what about the 'Data Portability', the 'Right to Access' and the 'Right to be Forgotten'? This can be somewhat difficult in practice.

Right to Access

Let's start with the 'Right to Access'. Someone knocks on your customer service door and says 'Tell me what you know about me'.

First, the person should be identified (to prevent a case of data leakage).
Then all information on the individual should be gathered and presented.
But how do you know what 'all' information is? And what if other individuals are also contained in the same datarecord?
Also be aware that information can be scattered over several systems in your landscape. Should a process or a system gather all information based on a set of keys?

What if a person says he owns a certain emailaddress, is it safe to conclude that all information related to the emailaddress is subject to the inquiry? Not many companies have a clean golden record on their customer.

Right to be forgotten

Then the 'Right to be forgotten'. This part is based on the 'Privacy by Design' principle, where you only store the data that is considered relevant for the process you have gathered it for. So, if you store an email address or telephone number for the purpose of service or warranty, the email address and telephone number should be erased after the service or warranty period is passed. This would be a pretty straightforward case.

But what if there are multiple business rules on a single piece of information. Some might require the information to be kept, and other might require the information to be forgotten. This can be complex.

Combining the two

So what if a customer knocks on your customer service door and says:

What would be the expected outcome? What information would be erased and what would be kept?
Obviously, the customer is withdrawing 'consent of data processing', implying a new set of rules in relation to data processing for this case.


When preparing for the GDPR to be enforced, make sure you are aware and have covered all legal requirements, but also make sure you implement processes both human and automated to support the execution of rights to access and right to be forgotten. Make sure everyone in your company is aware of the do's and don'ts related to customer data, and what to do if privacy-related questions or issues are at hand.