General Data Protection Regulation (GDPR)

Alarm clock

Listen to Business Analysts The world of data security is about to change You may have heard rumors circulating around GDPR, but as the deadline approaches – how much do you really know about it and how will it affect your organization? Don’t worry help is at hand, we’ve created a quick article about GDPR and how it affects you and your organization.

So, what is GDPR?

General Data Protection Regulations will be effective on May 25, 2018 – less than three months! The GDPR is set to replace the old and outdated UK Data Protection Act 1998 The GDPR is designed to harmonize data privacy laws across Europe to protect and empower the data privacy of all European citizens in Europe and to rebuild the way organizations communicate with data privacy across the region. ‘(EU website).

GDPR will apply to all organizations in Europe that offer their services, services can range from commercial to charitable. One of the great things about GDPR is that since it is part of the EU regulations, all companies that provide services to EU residents will be subject to the same rules. So, in a way it should be easier for companies, because they will no longer need to understand the data protection laws of each country.

Another thing to keep in mind is that service providers who process data on behalf of an organization must also comply with GDPR. For example, if your company uses a cloud provider to manage their timesheets for their employees – then both the company and the cloud provider must comply with GDPR.

The GDPR is designed with two objectives in mind:


So, what is personal information?

Under the GDPR, personal data can be obtained either directly or indirectly from an individual and can be in any format.

Personal data that falls under the GDPR:

  • Name – Both first name and last name

  • Address

  • Email address

  • Pictures

  • IP address

  • Location information

  • Online behavior means cookies

  • Race

  • Religion

  • Political views

  • Trade union membership

  • Health information

  • Sexual orientation

  • Biometric data

  • Genetic data

  • Profiling and analytical information

If you think about the different products that you work with every day, how much of it is personal data. For example, if you hire a new business analyst at your organization, you will have to deal with CVs that contain personal data.

Companies are required to process personal data in accordance with six data protection policies:

  • Processed legally, fairly and transparently.

  • Collected for specific valid purposes only.

  • Adequate, relevant and limited to what is needed.

  • Must be accurate and up to date.

  • Preserved as long as needed.

  • Ensure proper security, integrity and privacy.


Another thing

Individuals’ rights to what will happen to their data under GDPR are also expanding. Here are two key points to note:

  • People can ask the agency for access to their data “at reasonable intervals” (it’s not clear what that is). The regulations state that if a person makes this request, the regulator and processor (we will discuss their role in more detail below) must respond to the request within one month.

  1. Under the GDPR, individuals have the right to access any information held by the Company and to know how that data is being processed, where and for how long it is being stored.

  • People also have the right to claim that their data has been deleted, if it was collected it is no longer needed for that purpose. For example, if you join a social media organization, then decide that you want to withdraw your consent to collect data. You then claim that the company will delete all your data.

What else is changing

The regulations state that companies must be able to comply with data protection policies. This requires an organization to take a risk-based approach to data protection, as well as to ensure that there are appropriate policies and procedures in place to address public data. There are also requirements for organizations to build a culture of data privacy and security.

The way you get consent from a person is also changing. When companies get consent from individuals, they need to make an active and positive decision that spells out exactly what and how the data will be used. Under current regulations, companies may carry pre-ticked boxes or opt-outs – this will not be possible under the GDPR.


There are two key roles that companies must fulfill under the GDPR:

  1. This person will describe how personal data is processed and for what purpose it is processed. They are also responsible for ensuring that third party suppliers / contractors comply with GDPR regulations.

  2. It is a personal responsibility to keep a record of how consent was obtained from an individual.

  1. Individuals or groups of individuals who maintain and process personal data records – this may be outsourced to a third party provider.

What happens if you violate the guidelines?

If your organization does not follow the regulations, they could face two types of penalties:

  1. If a data breach occurs, an organization under the GDPR has a 72-hour window to report it to the Data Protection Authority. Those who fail to meet the 72-hour deadline could face fines of up to 2% of their annual global revenue or € 10 million, whichever is higher.

  2. This means that an organization must have a clearly defined plan for how and to whom it will report data breaches.

  3. If the company does not follow the GDPR’s data policies, they could be fined up to € 20 million or up to 4% of your global annual turnover, whichever is higher.

Both of these penalties are much higher than anything under the current Data Protection Act.

What about Brexit?

You will be aware that the UK is leaving the EU, with the UK currently having until March 2019 (or, more time) to leave the EU – this means that the UK must comply with the GDPR. In 2017, the UK government introduced a new data protection bill, which essentially replicates the GDPR requirement in UK law.

What should I do?

It is your job to discover what that is and to bring it about. There is no doubt that this will shake things up in the data protection world for both organizations and individuals. We will publish another blog that will tell you what steps you, as a business analyst, need to take to ensure that you and your organization do not violate GDPR regulations.

Leave a Reply

Your email address will not be published.