As of May 25, 2018, all companies selling to and storing personal info about European citizens will come under greater scrutiny with significant implications for almost every area of a business.

General Data Protection Regulation (GDPR) will come into effect in all countries across the European Union (EU) and the European Economic Area (EEA). The end goal is to provide citizens of the EU and EEA with greater control over their personal data, which is any information related to a person such as a name, an email address, bank details, etc., according to GDPR.

Given the scope of coverage, GDPR should be included in organizations’ overall data management strategy. It requires an inventory of all information an organization holds and a clear definition of what “personal data” means.

GDPR Implementation

GDPR’s definition of personal data is more elaborate and extremely clear in classifying information, such as online identifiers (e.g., IP address) as personal data. This more expansive definition provides a broad array of personal identifiers that fall under personal data, regardless of the technology or the methodologies organizations use to collect it. GDPR applies to both automated and manual processes that collect personal data based on the qualification criteria enumerated in the regulation (EU) 2016/679.

Rolling out GDPR will have profound implications for almost all areas within an organization that produce or consume data. Among various elements, the following items will have the most impact:

Obligatory data breach notification—Starting in May 2018 when the regulation kicks into effect, companies that suffer from data breaches are obliged to notify regulators and individuals whose personal data was compromised. Companies, however, would want to mitigate or completely avoid the negative publicity and brand damage resulting from such disclosures, hence we expect to see corporations ramp up their risk and data management practices.

Right to be forgotten—This right endows individuals with the power to request the organizations to properly dispose of their data. If customer requests to delete their personal data start flowing in, it will create operational disruptions. Most organisations haven’t experienced such a circumstance before, meaning they won’t have processes and workflows to service such requests. To circumvent bottlenecks, companies will need to roll out data governance and re-architect critical customer relationship systems to better handle these requests. Likewise, for invasive processes and activities like customer segmentation, profiling and analytics, privacy audits could become more important.

Privacy by design—We could also expect European regulators to impose stringent privacy measures at touchpoints that collect, retain and process personal information to protect customers. These measures could be built into new products, services, gadgets and business processes. In other words, businesses may need to embed more privacy features throughout their operational interfaces.

Challenges Create Opportunity

As businesses are required to document and articulate their data and privacy postures more clearly, they must engender tighter collaboration between legal and technology teams with the sole intent of avoiding penalties. Proposed fines can reach up to four percent of annual global turnover or €20 million, whichever is greater. The increased disclosure and transparency requirements imply that privacy notices will entail more detail, and hence, may need to be revised for increased clarity.

In an environment that’s constantly changing, data is the new “oil.” Companies that demonstrate integrity, value their customers’ privacy and are transparent about how their data is used stand to gain deeper connections with their clients and a more loyal customer base.


Mithun Sridharan – Manager Business Consulting