The European General Data Protection Regulation (GDPR)

April 30, 2017
Written by EPI-USE Labs Staff writer

EPI-USE Labs is a global company with hubs throughout Europe, the United Kingdom, the Americas, Australia, the Philippines, South Africa, the Middle East and Turkey.

The implementation of the new General Data Protection Regulations (GDPR) is gathering momentum heralding far-reaching changes to business operations, global commercial relationships and personal freedom in the business community relating to the European Union.


The Main Tenets of the GDPR

  • A single set of rules. Data protection rules will blanket the entire EU to remove onerous administrative requirements.
  • A single authority. Each region will have a data protection regulator who will need to liaise with regulators in other EU countries. (That word “single” is not entirely accurate because there will be a super regulator.) The EU Data Protection Board will include the head of each national data protection regulatory body and the European Data Protection Supervisor. This Data Protection Board will be empowered to guide and resolve disputes among national regulators.
  • Definitions of data. The scope of “personal data” has expanded. Two new categories of data – genetic and biometric – are included on a list of “sensitive data”, which also includes racial or ethnic origin, political opinions, religious or philosophic beliefs, trade union membership and data concerning health or sexual orientation.
  • Pseudonymised vs anonymised data. The regulation does not apply to fully-anonymised data whereas pseudonymised data is personal data because it can be re-associated with a specific individual.
  • Consent. This must be specific and informed and given freely by the data subject. There are, however, limitations on consent and consumers cannot be asked to agree to any unfair contractual terms in exchange for their consent. Consent is also not valid where there is “a clear imbalance [of power] between the [consumer] and the [company]”. Importantly, consent is not valid in the context of a contract if the consumer must give consent for use that is not necessary for the performance of the contract. This will significantly affect the business model of free apps or services that rely on selling user data to pay for the costs of providing the service.
  • Internal controls. Policies and procedures regarding this will have to be produced in the event of a complaint. Data breaches and investigations must be documented.
  • Data Protection Officer (DPO). Companies operating with large scale customer databases must have a DPO. SMEs of less than 250 employees will be exempt unless personal data processing is core to their business.
  • Data portability. Consumers will have easier access to their data and transferring it will be made easier.
    A "right to be forgotten" or erasure. When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
  • Data protection by design and by default. ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
  • Breach notification. Companies have 72 hours to notify the national data protection regulator of any breaches.
  • Fines for mismanagement. Fines of up to 4% of worldwide turnover will be issued to companies for data mismanagement.


How to prepare for GDPR

  1. Prepare to redesign your data management processes and IT systems with a much greater emphasis on data protection and security. Note that you will be required to show your security policies and strategies on request.
  2. Form a group to oversee all your privacy activities under a senior manager. If you have more than 250 employees, appoint a Data Protection Officer. This group will need to report regularly on the status of privacy efforts and create statements of compliance.
  3. Create and implement a breach notification process and enhance your incident management and detection and response capabilities. Every data breach must be reported even if protective measures such as encryption are in place.
  4. Prepare your company to fulfil the “right to be forgotten”, “the right to erasure” and the “right to data portability” requirements. You will need to institute a strategy for data classification, retention, collection, removal, storage and search. All methods of data collection must be included such as the internet, call centres and paper.
  5. Create and enforce privacy throughout your systems. Privacy control will have to be simpler, stronger, harder to by-pass and embedded in the system’s core functionality.



Explore Popular Tags

News EPI-USE Labs User Group Event Test Data Management ASUG SAP GDPR SAP HCM reporting SAP Landscape Data Sync Manager (DSM) SAP security S4HANA SAP SuccessFactors S/4HANA Migrations SAP Landscape Transformation Webinar Query Manager SAP HCM s/4HANA Data Sync Manager ERP PRISM SAP Data Security SAP S/4HANA SAP test system landscapes data scrambling Client-centric Document Builder Innovation HR Landscape Management SAP HANA SAP test data management collaboration Data Security DevOps Digital HR Elephants, Rhinos and People Global SAP GDPR Cenoti, connecting SAP with Splunk Cloud Migration Cloud and Managed services DSM DSM5 Data Privacy Data Secure Elephants, Rhinos & People GDPR compliance HCM QM4 SAP SuccessFactors Reporting SAP data privacy and compliance Virtual event fiori Access risk controls Cloud Cloud Solutions Data Evolutio GRC HCM, HR Journey to SAP SuccessFactors March 2021 Migrate SAP to Microsoft Azure Risk management SAP HCM Roadmap SAP HCM/HXM SAP data SAP migration SLO Security South Africa Splunk Success Story System Landscape Optimization Teched Transformation User Group event ASUG Chicago AWS Cloud Migrations Amazon Web Services (AWS) AppDynamics At-risk elephants and rhinos Australia Automation Blog CSR Community Corporate Social Responsibility DSM Readiness Assessment Data masking Data privacy compliance Design Thinking Digital tranformation EPI-USE EPI-USE AWS Employee payroll GDPR deadline GDPR readiness General Data Protection Regulation Intelligent HR and Payroll Microsoft Azure SAP AppHaus Network SAP Business Technology Platform SAP Cloud-Lift for Azure SAP Gold Partner SAP Pinnacle Awards SAP on Azure SAPPHIRE SAPPHIRE-NOW SAPinsider SAUG Soterion Strategic partnership SuccessConnect UK UKISUG Value through Innovation analytics certification partner partners technology test data masking .conf21 ASUG Philadelphia AWS AWS MSP Partner Program AWS Managed Support AWS Well-Architected Framework Acquisition Ad Hoc Query Advanced AWS Partner Analytics Connector Appointments BTP Brownfield Cloud Infrastructure Cloud Payroll Cloud migrations Custom Development DATPROF Data Diclose Data-Sync-Manager-Suite ECC Employee Central Events GDPR-type legislation GRC for SAP Gender Pay Gap Governance, Risk Management and Compliance (GRC) Greenfield HCM Reporting HR Innovation & Tech Fest HR conference Higher Education Hybrid SAP and SuccessFactors Indiana Innovationspreis-IT InsightsSuccess Jon Bon Jovi Justin Timberlake Keynote Microsoft Ignite Microsoft data centres Migration Move to SuccessFactors Employee Central New York City POPI POPI Act POPI Act deadline June 2021 POPIA PRISM for HCM (Private Cloud Edition) Payroll reporting Purdue University Query Manager User Group Rabobank Real-time reporting and document creation Recharge HR Return on investment Rise with SAP Risk monitoring SAP HCM On-Premise Solutions SAP HCM journey SAP HXM SAP Hudson Yards SAP Payroll SAP Query SAP Reporting SAP S/4HANA Assessment SAP SuccessFactors HCM Journey SAP SuccessFactors People Analytics SAP and non-SAP SAP data privacy & security SAP on AWS SAP solutions SAUG National Summit 2022 SQ01 reporting Sabaas Successful Innovation Sydney TOP 100 Transformation without re-implementation Video Workshop bancon’s bPostingEngine (bPE) businesschange cloud hosting compliance customer collaboration data copy downstream ebook engineering governance manufacturing mergers oilandgas oilandgasindustries petrochemicals strategic collaboration agreement (SCA) upstream utilities
+ See More

Get Instant Updates

Leave a Comment: