Opportunities for Greater Value

from Data with the GDPR

©2018 BackOffice Associates, LLC. All Rights Reserved.

1 of 11
 Opportunities for Greater Value from Data with the GDPR
Contents

Introduction

An Overview of the GDPR

Better Value from Data from GDPR Requirements

Conclusion

The General Data Protection Regulation (GDPR) intends to strengthen data

protection rights for all European Union (EU) citizens and residents, as well
as the security requirements for organizations that collect and process their
personal data. All organizations — including those that do not have a physical
presence in the EU — that offer services and/or products within the European
market or that collect personal data of European citizens and residents,
must comply with GDPR requirements. Beginning May 25th, 2018, affected
organizations that fail to comply could be fined up to 4% of their prior year’s
annual turnover, or 20,000,000 EUR, whichever is greater. The implications
of the GDPR have therefore significantly raised the importance of data to the
Executive level.

According to Gartner,

“By the end of 2018, more than 50% of companies affected by

the GDPR will not be in full compliance with its requirements.”

GARTNER, HOW DATA AND ANALYTICS LEADERS CAN LEVERAGE GDPR

FOR INCREASED BUSINESS VALUE, AUGUST 2017

2 of 11
 Opportunities for Greater Value from Data with the GDPR
Introduction continued
The GDPR replaces the EU Data Protection Directive
(Directive 95/46/EC) that has been in effect since 1995.
Thus, many organizations already have processes and
procedures in place that are consistent with the GDPR.
However, the GDPR adds new requirements, including in
the areas of consent, breach notification, trans-border
data transfers, and the appointment of a Data Protection
Officer (DPO).
The GDPR actually creates an
opportunity for an organization to
transform critical data into a asset that
generates tremendous economic value
and competitive advantages.
The GDPR does not mandate a specific solution to achieve
compliance, nor does it define a specific set of actions to
be taken to meet its requirements. Rather, it illustrates the
final, required state whereby organizations must mitigate
the risks to the privacy of the individuals whose data is
collected and processed as part of their activities. Thus,
organizations can develop ‘right fit’ approaches based on
their unique environments that ensures that personal data
is collected and processed appropriately and legally, and
is accurate and protected. Achieving compliance with the
GDPR is not an end game for an organization. Rather than
being a one-and-done effort (à la Y2K), organizations will be
required to maintain compliance, as they can be called upon
at any time to validate it.
While it could be viewed as a threat because of its strict
requirements and high penalties, the GDPR actually creates
an opportunity for an organization to transform critical data
into a asset that generates tremendous economic value
and competitive advantages. Fundamentally, the Regulation
requires that an organization examine how it uses, and
could use, personal data across its operations. The good
data management practices and operational changes that
emerge from compliance efforts can be applied to all types
of critical data to help improve operational efficiencies, and
grow the organization in new ways.
©2018 BackOffice Associates, LLC. All Rights Reserved.
3 of 11
 Opportunities for Greater Value from Data with the GDPR

An Overview of the GDPR

The GDPR applies to the processing of data that could be used to identify an
individual — personal data. It asserts that “the protection of natural persons in
relation to the processing of personal data is a fundamental right” but not an
absolute right as “it must be considered in relation to its function in society and be
balanced against other fundamental rights”. Thus, the GDPR recognizes that the
processing of personal data creates economic value and doesn’t seek to restrict it.
Rather, it grants certain rights to individuals, and assigns responsibilities to those
parties that collect and process personal data to ensure that the needs and rights
of all parties are in balance. The GDPR also does not seek to restrict the flow of
personal data within the global market, however, there are a variety of provisions
that must first be met in order for personal data to be transferred across country
borders and to international organizations. Finally, there are selected situations
in which compliance is not required, such as when data is processed in the
prevention or prosecution of criminal activities, and in issues of national security
and public health.

Said another way, one could assert that an organization
no longer officially own data that can be used to identify
an individual. That data is now owned by the individual and
the organization must ‘lease’ it. Therefore, agreements and
consent between the individual and an organization need to
put in place just like in any other business agreement where
something is leased.
Personal data is any data that could be used, either directly
or indirectly, to identify living citizens and residents of
the European Union, including those who are internal
(e.g. employees) and external (e.g. customers, prospects,
partners, public figures) to an organization. However, what
constitutes personal data is very broad. Not simply limited to
names, addresses, and phone numbers; personal data could
be any data that could be used to identify an individual —
such as IP addresses, images and videos, online identifiers,
©2018 BackOffice Associates, LLC. All Rights Reserved.

voice recordings and voice streaming data from personal

Personal Data includes IP addresses,
images and videos, online identifiers,
voice recordings and voice streaming data
from personal assistant services such as
Amazon Alexa, as well as health, genetic
and biometric data.
assistant services such as Amazon Alexa, as well as health,
genetic and biometric data [Art. 4].
The guiding principle of the GDPR is that personal data must
be processed lawfully, fairly and in a transparent manner.
Collected data must be aligned with a specific purpose;
not be used beyond that purpose; be limited to only what

4 of 11
 Opportunities for Greater Value from Data with the GDPR

An Overview of the GDPR continued

is necessary for that purpose; and be kept in a form that
can be used to identify an EU citizen or resident for no
longer than is necessary to serve that purpose. It must also
be accurate and kept up-to-date, and be processed in a
security-rich environment [Art 5].
for the processors that they select. A recipient is a party
to which personal data is disclosed — which could either
be internal or external to the controller. And a supervisory
authority is an independent public authority established by
an EU Member State. [Art. 4].

The requirements of the GDPR apply to

any organization that collects, stores, and
processes the personal data of data subjects
— regardless of where the organization is
headquartered or maintains offices, regardless
of where the processing of personal data takes
place, and regardless of whether or not the
processing is related to the offering of goods
or services for a payment.

The GDPR defines several parties that are affected by the
regulation. For example, a data subject is an identifiable
and living EU citizen or resident for whom personal data
can identify. A controller is an organization that collects
data on data subjects, while a processor is an organization
that processes personal data on behalf of a controller.
Controllers and processors could be separate entities, and
while both have responsibilities under the GDPR, controllers
bear the primary responsibility for compliance and are liable
The requirements of the GDPR apply to any organization
that collects, stores, and processes the personal data of
data subjects — regardless of where the organization is
headquartered or maintains offices, regardless of where the
processing of personal data takes place, and regardless of
whether or not the processing is related to the offering of
goods or services for a payment. Many organizations across
the globe will therefore be required to comply with the GDPR
— not just those that have a physical presence within the EU.
©2018 BackOffice Associates, LLC. All Rights Reserved.

5 of 11
 Opportunities for Greater Value from Data with the GDPR

Better Value from Data

from GDPR Requirements

As with any regulation, the starting point for an organization on its journey
towards GDPR compliance will be the involvement of legal counsel, and most likely
business consulting firms. Although the legal framework of the GDPR is beyond
the scope of this document, it should be noted that while the GDPR will be applied
uniformly by all EU Member State, each may choose to enact more specific
requirements. An organization therefore needs to understand its legal obligations
to each EU Member State within which it collects, processes, and transfers
personal data. And although the GDPR does permit the global flow of personal
data to recipients in third countries and to international organizations, there
are many restrictions and exceptions of which an organization must determine
applicability to its operations.

A gap analysis should be performed between how an
organization currently collects, processes, secures, and
transfers personal data; and a state that complies with
the GDPR requirements. A high-level overview of the key
provisions is provided in this document.
The results of this analysis will provide an organization with
a better understanding of the personal data it maintains,
who owns it and has access to it, and the impact that
the collection and processing of personal data has on its
operations, and ultimately its outcomes. It will generate
a clear map of where personal data flows and impacts
policies, processes, rules, systems, and people. A thorough
assessment of the security posture and quality of personal
data will be developed. The knowledge gained provides
The GDPR requires that a selected set of organizations
appoint a Data Protection Officer (DPO) — for example,
public bodies, and those whose activities consist of
processing that requires regular monitoring of data subjects
on a large scale. A DPO is an expert in data protection law
and practices. This role could be internal or external to an
organization, and is required to “be involved in all issues
that relate to the protection of personal data”. [Art. 37,38]
However, even if an organization is not required to name a
DPO, it will find that doing so centralizes ownership of the
broad changes required by the Regulation, as well as good
management practices for all categories of data.
The actions of employees could inadvertently lead to the
unlawful processing of personal data, and in fact, the
©2018 BackOffice Associates, LLC. All Rights Reserved.

an opportunity, with guidance from the GDPR, to reshape
areas of the organization, and the personal data used by
them not only to achieve compliance, but also to improve
performance. The same techniques can be applied to other
critical data — for example, product data. When data is better
understood, it is more trusted and thus is a more valuable
business asset.
GDPR specifically states that “any person acting under the
authority of the controller or of the processor, who has
access to personal data, shall not process those data except
on instructions from the controller, unless required to do
so by Union or Member State law.“ [Art. 29] Therefore, an
organization should roll out a comprehensive and ongoing
training program to ensure that all employees understand

6 of 11
 Opportunities for Greater Value from Data with the GDPR
Better Value from Data
from GDPR Requirements continued
their responsibilities with respect to the Regulation — which
will result in improved handling and management of data
by people.
As the GDPR is an enduring mandate, an organization must
put procedures in place that demonstrate compliance when
requested. The GDPR does encourage the development and
approval of Codes of Conduct and certification mechanisms
within industries, which can help showcase that an
organization is in compliance with the Regulation [Art. 40].
However, these tactics are not intended to be substitutes for
the good data practices mandated by the GDPR.
An organization must take inventory of its data, and
determine if it could be used to identify a citizen or resident
of the EU. This exercise will be a challenge as organizations
typically have personal data stored (and often duplicated)
in many disconnected places and formats — many of which
are often beyond the oversight of the IT department. This
could include both structured and unstructured formats,
in business systems and the cloud, desktop and mobile
devices, as well as unconventional places such as backup
tapes. Policies and processes must be established so
that this critical data is centrally managed and accessed.
Detailed metadata must be generated that clearly describes
retained personal data, so that it is well understood and
used appropriately. and freedoms of natural persons”. It must assess the impact
An organization must also inventory the various ways in
which it collects personal data, either by obtaining it directly
from data subjects through electronic or manual (e.g. verbal,
paper) orchestrated processes, by obtaining it automatically
through sensors or embedded technologies such as tracking
cookies, or by purchasing it from 3rd party dataset providers.
According to Gartner,
“GDPR compliance is not a one-time activity;
it requires ongoing data governance and monitoring.”
GARTNER, HOW TO IMPLEMENT FILE ANALYSIS FOR GDPR CHALLENGES, OCTOBER 2017
An organization must take a multi-faceted approach to
protect personal data from unauthorized access, use,
alteration, disclosure, and destruction. For example, it will
need to ascertain and set policies for the security profile
surrounding personal data. This includes, for example, the
security configurations of hosting systems, cloud platforms,
network nodes, and endpoint devices.
An organization must take inventory of all of the various
ways that it processes personal data, and ensure that it
adheres to the principles of the GDPR: that processing of
personal data is lawful; and the personal data it collects is
for a specific and legitimate purpose, and limited to only
what is necessary for processing (called privacy by default).
Where processing is performed by external parties,
controllers are required to only work with those processors
that provide “sufficient guarantees to implement
appropriate technical and organizational measures” to
meet GDPR requirements and protect data subjects’ rights.
[Art. 28]. Therefore, controllers will need to put procedures
in place that evaluate and ensure that the processors it
employs are compliant with the Regulation.
Organizations are required to pay special attention to
processing that “is likely to result in a high risk to the rights
of these types of processing on the protection of personal
data, and consult with their supervisory authority on their
legality [Art. 35]. Of particular note is a type of automated
processing called profiling, which is fully automated
processing that, for example, can determine additional
characteristics about a data subject from personal data, or
predict future behavior. Data subjects can elect to not have
©2018 BackOffice Associates, LLC. All Rights Reserved.
7 of 11
 Opportunities for Greater Value from Data with the GDPR
Better Value from Data
from GDPR Requirements continued
their personal data be subject to this type of processing,
and resulting decisions (subject to certain conditions)
[Art. 19]. An organization will need to understand where it
implements this type of processing, and determine how its
outcomes will be affected when it is restricted.
An organization must also determine if it processes personal
data in a way that ensures that it is inherently protected
(called privacy by design) [Art 25]. The GDPR encourages
organizations to apply various techniques and technologies
that render breached data useless to those who don’t have
authority to it. This would include, for example, encryption
as well as pseudonymization — the replacement of fields
that could be used to identify an individual with artificial
identifiers (pseudonyms), such as unique numbers, to make
it more difficult to ascertain the identity of the individual.
Regular testing of the organizational and technical measures
to protect data is also encouraged [Art 32].
An in-depth analysis of personal data and how it is processed
will provide a comprehensive view of its lineage and impact
— detailing where personal data comes from, where it is
maintained, who and how it is accessed and changed, and
what processes are dependent upon it. This knowledge
will be incredibly valuable not only for compliance efforts,
but also in optimizing the use of personal data so that it
generates maximum value for the organization.
The GDPR grants specific rights to data subjects with
regards to the processing of their personal data by
controllers and processors. Regardless of whether an
organization collects personal data directly or receives it
from a third party, it is responsible for it under the GDPR.
These rights impose several responsibilities on a controller,
which can be summarized as follows:
++ In certain cases, controllers must obtain unambiguous or
explicit[EI8] consent from data subjects in order to collect
and process their personal data. The request for consent
must meet strict requirements, including:
–– That it be stated in plain language.
–– Be clear on the specific personal data that will
be collected.
–– Describe precisely how the data will be processed.
Consent must be given unambiguously or explicitly, and
cannot, for example, be inferred through silence, or
obtained through ambiguous or deceptive means (i.e.
pre-checked boxes). Data subjects can elect to withdraw
their consent at any time.
++ Whether collected by the controller [Art. 13] or obtained
through other means [Art. 14], the controller must clearly
communicate to the data subject in clear, concise and
plain language [Art. 12], information that includes, but is
not limited to:
–– Their specific personal data that it processes.
–– Details on how their personal data is processed, both
by human-driven and automated processes.
–– The 3rd parties, foreign countries or international
organizations that receive their data from
the controller.
–– The name of the DPO.
–– The period of time for which their data will
be processed.
++ The controller must take action on personal data upon the
request of a data subject, including to:
–– Inform the data subject if, and how, their personal data
is being processed [Art. 15]
–– Correct inaccuracies discovered within their personal
data [Art. 16]
–– Erase their personal data as long as a variety of
conditions exist, [Art. 17] and instruct all recipients to
follow suit [Art. 19]
–– Restrict the processing of their personal data when one
of a variety of conditions exist [Art. 18] and instruct all
©2018 BackOffice Associates, LLC. All Rights Reserved.
recipients to follow suit [Art. 19].
–– Transfer their personal data (if possible) to the data
subject, or directly to another controller, in a commonly
used, machine-readable format (e.g. a spreadsheet)
[Art. 20]
–– Remove their personal data from automated
processing, typically when used for profiling [Art. 22]
8 of 11
 Opportunities for Greater Value from Data with the GDPR

Better Value from Data

from GDPR Requirements continued

The GDPR demands that personal data be accurate and kept
up to date. Thus, an organization will need to understand the
current quality of its personal data, and enforce associated
policies for quality. The GDPR also mandates that personal
data can only be maintained by an organization as long
as necessary to support the processing for which it was
originally collected. Therefore, controllers will need to
establish policies that define when personal data must be
erased, and procedures to communicate with processors
and recipients to follow suit.
Finally, the GDPR requires that controllers maintain a record
of processing activities that fall under its responsibility.
There are a number of details that must be included in
these records, including the purposes of the processing, a
description of the affected categories of data subjects and
personal data, the categories of the recipients to whom the
data will be disclosed, identification of third countries and/
or international organizations to which the data is disclosed,
the DPO, the length of time the data will be kept, and a
description of the security measures put in place to protect
the data. Processors have similar reporting requirements.
These reports must be in human readable format, and made
available to supervisory authorities upon request [Art.
30]. An organization will thus be required to implement a
robust record collection and reporting system that provides
traceability and details across personal data, the processing
of it, the consent given by data subjects for the processing,
and the transfer of it to third parties.

Organizations should consider migrations to new and

modern systems to improve the security, structure, quality,
and processing of personal data. They should consider
The GDPR defines a personal data breach as one that leads
implementing a data quality solution to monitor personal
“…to the accidental or unlawful destruction, loss, alteration,
data, and enforce policies to ensure it is consistent and
unauthorized disclosure of, or access to personal data
complete. And finally, organizations should seek to establish
transmitted, stored, or processed” [Art. 4]. A controller
a governance practices that define and enforce policies for
must notify the supervisory authority of its Member
personal data — such as for security, quality, processing,
State within 72 hours from the point that they become
and auditing.
aware of a personal data breach if it determines that it “is
likely to result in a high risk to the rights and freedoms
of individuals” [Art. 33]. It must then notify affected data
subjects without delay [Art. 34]. Therefore, the controller
must establish incident response procedures to help
identify when a breach occurs, and communicate clearly
and effectively with those impacted. Finally, an organization
©2018 BackOffice Associates, LLC. All Rights Reserved.

will need to incorporate various auditing procedures to help

illustrate compliance and identify non-compliant activities.
It will need to put controls in place to help safeguard against
inadvertent compliance failures, for example, unauthorized
transfers of personal data to third parties.

9 of 11
 Opportunities for Greater Value from Data with the GDPR

Conclusion

Compliance with the General Data Protection Regulation will require that many areas of an organization work together
to examine and change policies, practices, and technologies related to personal data. Although technology will play an
important role in helping achieve compliance, the scope of the requirements extend beyond the purview of software,
therefore no software can make an organization completely compliant. Regardless, the benefits gained as a result of
compliance efforts can lead to the establishment of effective governance practices for all types of critical data — which can
help generate impactful new insights that lead to greater efficiencies, growth and competitive advantage; and enable it to
react with agility and speed to meet rapidly changing markets.

According to Gartner,

“Organizations preparing for GDPR compliance have a unique

opportunity to leverage GDPR requirements, including the
enhanced data subject consent rules, to increase business
value and uncover digital business opportunities.”
GARTNER, HOW DATA AND ANALYTICS LEADERS CAN LEVERAGE GDPR
FOR INCREASED BUSINESS VALUE , AUGUST 2017

©2018 BackOffice Associates, LLC. All Rights Reserved.

10 of 11

Contact us for a data assessment.
BackOffice Associates, LLC
We believe BackOffice Associates products and
services provide our customers a significant advantage
and cost savings in developing, implementing and
managing a holistic, integrated strategy to data
governance and data management. However,
developing and implementing a comprehensive
NA +1 508.430.7100 compliance strategy requires an organization-
©2018 BackOffice Associates, LLC. All Rights Reserved.

specific assessment of its data assets and processes

info@boaweb.com EU +44 (0) 1252 938888 along with an analysis of how GDPR impacts those
www.boaweb.com APJ & ME +65 63610360 assets and processes. While BackOffice’s technology
undoubtedly can assist its customers during this
analysis, the ultimate determination of compliance
with GDPR or any other data protection legislation
remains exclusively with the customer. All materials
provided by BackOffice are its copyrighted works, are
for informational purposes only, and are not intended
©2018 BackOffice Associates, LLC. BackOffice Associates, Boring Go Live and all associated logos are trademarks or registered trademarks of BackOffice Associates,
LLC in the United States of America and elsewhere. SAP as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and several to and should not be relied upon or construed as a
other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. All other products, company names, brand names, trademarks and logos are legal opinion or legal advice regarding any specific
the property of their respective companies. issue or factual circumstance.

11 of 11