Opportunities for Greater Value

from Data with the GDPR

©2018 BackOffice Associates, LLC. All Rights Reserved.

1 of 11
 Opportunities for Greater Value from Data with the GDPR
Contents

Introduction

An Overview of the GDPR

Better Value from Data from GDPR Requirements

Conclusion

The General Data Protection Regulation (GDPR) intends to strengthen data

protection rights for all European Union (EU) citizens and residents, as well
as the security requirements for organizations that collect and process their
personal data. All organizations — including those that do not have a physical
presence in the EU — that offer services and/or products within the European
market or that collect personal data of European citizens and residents,
must comply with GDPR requirements. Beginning May 25th, 2018, affected
organizations that fail to comply could be fined up to 4% of their prior year’s
annual turnover, or 20,000,000 EUR, whichever is greater. The implications
of the GDPR have therefore significantly raised the importance of data to the
Executive level.

According to Gartner,

“By the end of 2018, more than 50% of companies affected by

the GDPR will not be in full compliance with its requirements.”

GARTNER, HOW DATA AND ANALYTICS LEADERS CAN LEVERAGE GDPR

FOR INCREASED BUSINESS VALUE, AUGUST 2017

2 of 11
 Opportunities for Greater Value from Data with the GDPR

Introduction continued

The GDPR replaces the EU Data Protection Directive The GDPR does not mandate a specific solution to achieve
(Directive 95/46/EC) that has been in effect since 1995. compliance, nor does it define a specific set of actions to
Thus, many organizations already have processes and be taken to meet its requirements. Rather, it illustrates the
procedures in place that are consistent with the GDPR. final, required state whereby organizations must mitigate
However, the GDPR adds new requirements, including in the risks to the privacy of the individuals whose data is
the areas of consent, breach notification, trans-border collected and processed as part of their activities. Thus,
data transfers, and the appointment of a Data Protection organizations can develop ‘right fit’ approaches based on
Officer (DPO). their unique environments that ensures that personal data
is collected and processed appropriately and legally, and
is accurate and protected. Achieving compliance with the
GDPR is not an end game for an organization. Rather than
being a one-and-done effort (à la Y2K), organizations will be
required to maintain compliance, as they can be called upon
at any time to validate it.

While it could be viewed as a threat because of its strict

requirements and high penalties, the GDPR actually creates
The GDPR actually creates an an opportunity for an organization to transform critical data
into a asset that generates tremendous economic value
opportunity for an organization to and competitive advantages. Fundamentally, the Regulation
transform critical data into a asset that requires that an organization examine how it uses, and
could use, personal data across its operations. The good
generates tremendous economic value data management practices and operational changes that
and competitive advantages. emerge from compliance efforts can be applied to all types
of critical data to help improve operational efficiencies, and
grow the organization in new ways.

©2018 BackOffice Associates, LLC. All Rights Reserved.

3 of 11
 Opportunities for Greater Value from Data with the GDPR

An Overview of the GDPR

The GDPR applies to the processing of data that could be used to identify an
individual — personal data. It asserts that “the protection of natural persons in
relation to the processing of personal data is a fundamental right” but not an
absolute right as “it must be considered in relation to its function in society and be
balanced against other fundamental rights”. Thus, the GDPR recognizes that the
processing of personal data creates economic value and doesn’t seek to restrict it.
Rather, it grants certain rights to individuals, and assigns responsibilities to those
parties that collect and process personal data to ensure that the needs and rights
of all parties are in balance. The GDPR also does not seek to restrict the flow of
personal data within the global market, however, there are a variety of provisions
that must first be met in order for personal data to be transferred across country
borders and to international organizations. Finally, there are selected situations
in which compliance is not required, such as when data is processed in the
prevention or prosecution of criminal activities, and in issues of national security
and public health.

Said another way, one could assert that an organization Personal data is any data that could be used, either directly
no longer officially own data that can be used to identify or indirectly, to identify living citizens and residents of
an individual. That data is now owned by the individual and the European Union, including those who are internal
the organization must ‘lease’ it. Therefore, agreements and (e.g. employees) and external (e.g. customers, prospects,
consent between the individual and an organization need to partners, public figures) to an organization. However, what
put in place just like in any other business agreement where constitutes personal data is very broad. Not simply limited to
something is leased. names, addresses, and phone numbers; personal data could
be any data that could be used to identify an individual —
such as IP addresses, images and videos, online identifiers,
©2018 BackOffice Associates, LLC. All Rights Reserved.

voice recordings and voice streaming data from personal

Personal Data includes IP addresses, assistant services such as Amazon Alexa, as well as health,
images and videos, online identifiers, genetic and biometric data [Art. 4].
voice recordings and voice streaming data
The guiding principle of the GDPR is that personal data must
from personal assistant services such as
be processed lawfully, fairly and in a transparent manner.
Amazon Alexa, as well as health, genetic Collected data must be aligned with a specific purpose;
and biometric data. not be used beyond that purpose; be limited to only what

4 of 11
 Opportunities for Greater Value from Data with the GDPR

An Overview of the GDPR continued

is necessary for that purpose; and be kept in a form that for the processors that they select. A recipient is a party
can be used to identify an EU citizen or resident for no to which personal data is disclosed — which could either
longer than is necessary to serve that purpose. It must also be internal or external to the controller. And a supervisory
be accurate and kept up-to-date, and be processed in a authority is an independent public authority established by
security-rich environment [Art 5]. an EU Member State. [Art. 4].

The requirements of the GDPR apply to

any organization that collects, stores, and
processes the personal data of data subjects
— regardless of where the organization is
headquartered or maintains offices, regardless
of where the processing of personal data takes
place, and regardless of whether or not the
processing is related to the offering of goods
or services for a payment.

The GDPR defines several parties that are affected by the The requirements of the GDPR apply to any organization
regulation. For example, a data subject is an identifiable that collects, stores, and processes the personal data of
and living EU citizen or resident for whom personal data data subjects — regardless of where the organization is
can identify. A controller is an organization that collects headquartered or maintains offices, regardless of where the
data on data subjects, while a processor is an organization processing of personal data takes place, and regardless of
that processes personal data on behalf of a controller. whether or not the processing is related to the offering of
Controllers and processors could be separate entities, and goods or services for a payment. Many organizations across
while both have responsibilities under the GDPR, controllers the globe will therefore be required to comply with the GDPR
bear the primary responsibility for compliance and are liable — not just those that have a physical presence within the EU.
©2018 BackOffice Associates, LLC. All Rights Reserved.

5 of 11
 Opportunities for Greater Value from Data with the GDPR

Better Value from Data

from GDPR Requirements

As with any regulation, the starting point for an organization on its journey
towards GDPR compliance will be the involvement of legal counsel, and most likely
business consulting firms. Although the legal framework of the GDPR is beyond
the scope of this document, it should be noted that while the GDPR will be applied
uniformly by all EU Member State, each may choose to enact more specific
requirements. An organization therefore needs to understand its legal obligations
to each EU Member State within which it collects, processes, and transfers
personal data. And although the GDPR does permit the global flow of personal
data to recipients in third countries and to international organizations, there
are many restrictions and exceptions of which an organization must determine
applicability to its operations.

A gap analysis should be performed between how an The GDPR requires that a selected set of organizations
organization currently collects, processes, secures, and appoint a Data Protection Officer (DPO) — for example,
transfers personal data; and a state that complies with public bodies, and those whose activities consist of
the GDPR requirements. A high-level overview of the key processing that requires regular monitoring of data subjects
provisions is provided in this document. on a large scale. A DPO is an expert in data protection law
and practices. This role could be internal or external to an
The results of this analysis will provide an organization with organization, and is required to “be involved in all issues
a better understanding of the personal data it maintains, that relate to the protection of personal data”. [Art. 37,38]
who owns it and has access to it, and the impact that However, even if an organization is not required to name a
the collection and processing of personal data has on its DPO, it will find that doing so centralizes ownership of the
operations, and ultimately its outcomes. It will generate broad changes required by the Regulation, as well as good
a clear map of where personal data flows and impacts management practices for all categories of data.
policies, processes, rules, systems, and people. A thorough
assessment of the security posture and quality of personal The actions of employees could inadvertently lead to the
data will be developed. The knowledge gained provides unlawful processing of personal data, and in fact, the
©2018 BackOffice Associates, LLC. All Rights Reserved.

an opportunity, with guidance from the GDPR, to reshape GDPR specifically states that “any person acting under the
areas of the organization, and the personal data used by authority of the controller or of the processor, who has
them not only to achieve compliance, but also to improve access to personal data, shall not process those data except
performance. The same techniques can be applied to other on instructions from the controller, unless required to do
critical data — for example, product data. When data is better so by Union or Member State law.“ [Art. 29] Therefore, an
understood, it is more trusted and thus is a more valuable organization should roll out a comprehensive and ongoing
business asset. training program to ensure that all employees understand

6 of 11
 Opportunities for Greater Value from Data with the GDPR

Better Value from Data

from GDPR Requirements continued

their responsibilities with respect to the Regulation — which An organization must take a multi-faceted approach to
will result in improved handling and management of data protect personal data from unauthorized access, use,
by people. alteration, disclosure, and destruction. For example, it will
need to ascertain and set policies for the security profile
As the GDPR is an enduring mandate, an organization must surrounding personal data. This includes, for example, the
put procedures in place that demonstrate compliance when security configurations of hosting systems, cloud platforms,
requested. The GDPR does encourage the development and network nodes, and endpoint devices.
approval of Codes of Conduct and certification mechanisms
within industries, which can help showcase that an An organization must take inventory of all of the various
organization is in compliance with the Regulation [Art. 40]. ways that it processes personal data, and ensure that it
However, these tactics are not intended to be substitutes for adheres to the principles of the GDPR: that processing of
the good data practices mandated by the GDPR. personal data is lawful; and the personal data it collects is
for a specific and legitimate purpose, and limited to only
An organization must take inventory of its data, and what is necessary for processing (called privacy by default).
determine if it could be used to identify a citizen or resident
of the EU. This exercise will be a challenge as organizations Where processing is performed by external parties,
typically have personal data stored (and often duplicated) controllers are required to only work with those processors
in many disconnected places and formats — many of which that provide “sufficient guarantees to implement
are often beyond the oversight of the IT department. This appropriate technical and organizational measures” to
could include both structured and unstructured formats, meet GDPR requirements and protect data subjects’ rights.
in business systems and the cloud, desktop and mobile [Art. 28]. Therefore, controllers will need to put procedures
devices, as well as unconventional places such as backup in place that evaluate and ensure that the processors it
tapes. Policies and processes must be established so employs are compliant with the Regulation.
that this critical data is centrally managed and accessed.
Detailed metadata must be generated that clearly describes Organizations are required to pay special attention to
retained personal data, so that it is well understood and processing that “is likely to result in a high risk to the rights
used appropriately. and freedoms of natural persons”. It must assess the impact
of these types of processing on the protection of personal
An organization must also inventory the various ways in data, and consult with their supervisory authority on their
which it collects personal data, either by obtaining it directly legality [Art. 35]. Of particular note is a type of automated
from data subjects through electronic or manual (e.g. verbal, processing called profiling, which is fully automated
paper) orchestrated processes, by obtaining it automatically processing that, for example, can determine additional
through sensors or embedded technologies such as tracking characteristics about a data subject from personal data, or
cookies, or by purchasing it from 3rd party dataset providers. predict future behavior. Data subjects can elect to not have
©2018 BackOffice Associates, LLC. All Rights Reserved.

According to Gartner,

“GDPR compliance is not a one-time activity;

it requires ongoing data governance and monitoring.”
GARTNER, HOW TO IMPLEMENT FILE ANALYSIS FOR GDPR CHALLENGES, OCTOBER 2017

7 of 11
 Opportunities for Greater Value from Data with the GDPR

Better Value from Data

from GDPR Requirements continued

their personal data be subject to this type of processing, –– Describe precisely how the data will be processed.
and resulting decisions (subject to certain conditions) Consent must be given unambiguously or explicitly, and
[Art. 19]. An organization will need to understand where it cannot, for example, be inferred through silence, or
implements this type of processing, and determine how its obtained through ambiguous or deceptive means (i.e.
outcomes will be affected when it is restricted. pre-checked boxes). Data subjects can elect to withdraw
their consent at any time.
An organization must also determine if it processes personal
data in a way that ensures that it is inherently protected ++ Whether collected by the controller [Art. 13] or obtained
(called privacy by design) [Art 25]. The GDPR encourages through other means [Art. 14], the controller must clearly
organizations to apply various techniques and technologies communicate to the data subject in clear, concise and
that render breached data useless to those who don’t have plain language [Art. 12], information that includes, but is
authority to it. This would include, for example, encryption not limited to:
as well as pseudonymization — the replacement of fields –– Their specific personal data that it processes.
that could be used to identify an individual with artificial
–– Details on how their personal data is processed, both
identifiers (pseudonyms), such as unique numbers, to make
by human-driven and automated processes.
it more difficult to ascertain the identity of the individual.
Regular testing of the organizational and technical measures –– The 3rd parties, foreign countries or international
to protect data is also encouraged [Art 32]. organizations that receive their data from
the controller.
An in-depth analysis of personal data and how it is processed –– The name of the DPO.
will provide a comprehensive view of its lineage and impact
–– The period of time for which their data will
— detailing where personal data comes from, where it is
be processed.
maintained, who and how it is accessed and changed, and
what processes are dependent upon it. This knowledge ++ The controller must take action on personal data upon the
will be incredibly valuable not only for compliance efforts, request of a data subject, including to:
but also in optimizing the use of personal data so that it –– Inform the data subject if, and how, their personal data
generates maximum value for the organization. is being processed [Art. 15]
The GDPR grants specific rights to data subjects with –– Correct inaccuracies discovered within their personal
regards to the processing of their personal data by data [Art. 16]
controllers and processors. Regardless of whether an –– Erase their personal data as long as a variety of
organization collects personal data directly or receives it conditions exist, [Art. 17] and instruct all recipients to
from a third party, it is responsible for it under the GDPR. follow suit [Art. 19]
These rights impose several responsibilities on a controller, –– Restrict the processing of their personal data when one
which can be summarized as follows: of a variety of conditions exist [Art. 18] and instruct all
©2018 BackOffice Associates, LLC. All Rights Reserved.

recipients to follow suit [Art. 19].

++ In certain cases, controllers must obtain unambiguous or
explicit[EI8] consent from data subjects in order to collect –– Transfer their personal data (if possible) to the data
and process their personal data. The request for consent subject, or directly to another controller, in a commonly
must meet strict requirements, including: used, machine-readable format (e.g. a spreadsheet)
[Art. 20]
–– That it be stated in plain language.
–– Remove their personal data from automated
–– Be clear on the specific personal data that will
processing, typically when used for profiling [Art. 22]
be collected.

8 of 11
 Opportunities for Greater Value from Data with the GDPR

Better Value from Data

from GDPR Requirements continued

The GDPR demands that personal data be accurate and kept Finally, the GDPR requires that controllers maintain a record
up to date. Thus, an organization will need to understand the of processing activities that fall under its responsibility.
current quality of its personal data, and enforce associated There are a number of details that must be included in
policies for quality. The GDPR also mandates that personal these records, including the purposes of the processing, a
data can only be maintained by an organization as long description of the affected categories of data subjects and
as necessary to support the processing for which it was personal data, the categories of the recipients to whom the
originally collected. Therefore, controllers will need to data will be disclosed, identification of third countries and/
establish policies that define when personal data must be or international organizations to which the data is disclosed,
erased, and procedures to communicate with processors the DPO, the length of time the data will be kept, and a
and recipients to follow suit. description of the security measures put in place to protect
the data. Processors have similar reporting requirements.
These reports must be in human readable format, and made
available to supervisory authorities upon request [Art.
30]. An organization will thus be required to implement a
robust record collection and reporting system that provides
traceability and details across personal data, the processing
of it, the consent given by data subjects for the processing,
and the transfer of it to third parties.

Organizations should consider migrations to new and

modern systems to improve the security, structure, quality,
and processing of personal data. They should consider
The GDPR defines a personal data breach as one that leads
implementing a data quality solution to monitor personal
“…to the accidental or unlawful destruction, loss, alteration,
data, and enforce policies to ensure it is consistent and
unauthorized disclosure of, or access to personal data
complete. And finally, organizations should seek to establish
transmitted, stored, or processed” [Art. 4]. A controller
a governance practices that define and enforce policies for
must notify the supervisory authority of its Member
personal data — such as for security, quality, processing,
State within 72 hours from the point that they become
and auditing.
aware of a personal data breach if it determines that it “is
likely to result in a high risk to the rights and freedoms
of individuals” [Art. 33]. It must then notify affected data
subjects without delay [Art. 34]. Therefore, the controller
must establish incident response procedures to help
identify when a breach occurs, and communicate clearly
and effectively with those impacted. Finally, an organization
©2018 BackOffice Associates, LLC. All Rights Reserved.

will need to incorporate various auditing procedures to help

illustrate compliance and identify non-compliant activities.
It will need to put controls in place to help safeguard against
inadvertent compliance failures, for example, unauthorized
transfers of personal data to third parties.

9 of 11
 Opportunities for Greater Value from Data with the GDPR

Conclusion

Compliance with the General Data Protection Regulation will require that many areas of an organization work together
to examine and change policies, practices, and technologies related to personal data. Although technology will play an
important role in helping achieve compliance, the scope of the requirements extend beyond the purview of software,
therefore no software can make an organization completely compliant. Regardless, the benefits gained as a result of
compliance efforts can lead to the establishment of effective governance practices for all types of critical data — which can
help generate impactful new insights that lead to greater efficiencies, growth and competitive advantage; and enable it to
react with agility and speed to meet rapidly changing markets.

According to Gartner,

“Organizations preparing for GDPR compliance have a unique

opportunity to leverage GDPR requirements, including the
enhanced data subject consent rules, to increase business
value and uncover digital business opportunities.”
GARTNER, HOW DATA AND ANALYTICS LEADERS CAN LEVERAGE GDPR
FOR INCREASED BUSINESS VALUE , AUGUST 2017

©2018 BackOffice Associates, LLC. All Rights Reserved.

10 of 11
 We believe BackOffice Associates products and
services provide our customers a significant advantage
and cost savings in developing, implementing and
managing a holistic, integrated strategy to data
Contact us for a data assessment. governance and data management. However,
developing and implementing a comprehensive
BackOffice Associates, LLC NA +1 508.430.7100 compliance strategy requires an organization-
©2018 BackOffice Associates, LLC. All Rights Reserved.

specific assessment of its data assets and processes

info@boaweb.com EU +44 (0) 1252 938888 along with an analysis of how GDPR impacts those
www.boaweb.com APJ & ME +65 63610360 assets and processes. While BackOffice’s technology
undoubtedly can assist its customers during this
analysis, the ultimate determination of compliance
with GDPR or any other data protection legislation
remains exclusively with the customer. All materials
provided by BackOffice are its copyrighted works, are
for informational purposes only, and are not intended
©2018 BackOffice Associates, LLC. BackOffice Associates, Boring Go Live and all associated logos are trademarks or registered trademarks of BackOffice Associates,
LLC in the United States of America and elsewhere. SAP as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and several to and should not be relied upon or construed as a
other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. All other products, company names, brand names, trademarks and logos are legal opinion or legal advice regarding any specific
the property of their respective companies. issue or factual circumstance.

11 of 11