GDPR: your client, their data and unexpected love

Juan Luis Polo

6 November 2017

171106 gr rebelthinking gdpr ele wp 1

“In God we trust. All others must bring data.”

W. Edwards Deming, statistician, professor, author, lecturer, and consultant.

Initial implementation of the GDPR (General Data Protection Regulation) can still seem far away, despite the fact that we are only 6 months away from its launch. However, the 25th May 2018 will be a pivotal moment in data protection.


Businesses know the importance of acting as depositories for their clients’ data since the enforcement of the LOPD in 1999. From this moment on we have been in charge of our clients’ data, tasked with communicating that data to the AEPD (Spanish Agency of Data Protection). The main objective of the LOPD was to regulate the treatment of private data, regardless of the medium in which that data was handled, the rights of citizens over that data and the obligations of those tasked with creating or handling that data.

Sufficient protection for individuals must be provided, they must take into account legislators and successive governments.

But the digital tsunami in which we live, since the law was enacted, has shown us that data has been converted into the fuel that powers the commercial motor worldwide.

In the early days of the Internet, private individuals were far from understanding that the endless trail of data that’s left behind unconsciously, would be used by companies in whatever shape or form, with both good and bad intent.

But on the 25th May 2018, with the enforcement of the GDPR, it’s all going to change, establishing a dynamic in which the person is at the centre of everything.

What are the key points?

  • “The right to forget”: when a person no longer desires their data to be processed, and provided that there are no legitimate reasons to keep it, the data will be deleted. It is about protecting people’s privacy, not erasing past events or restricting freedom of the press.
  • Easier access to personal data: people will have more information about how their data is processed and this information should be made available in a clear and comprehensible way. The right to the portability of data will facilitate individuals to transfer personal data between service providers.
  • The right to know when personal data has been stolen: companies and organisations must notify the national supervisory authority of breaches of data that endanger individuals within 72 hours and inform those involved of all high-risk breaches as soon as possible so that users can take appropriate action.
  • “Data protection by design” and “Data protection by default“: are now essential elements of EU data protection rules. Data protection ought to be integrated into the source of the design of products or services. And the regulation about to take effect will remain at a default setting that respects privacy, for example, on social networks or mobile applications.
  • Stricter enforcement of the rules: Data protection authorities will be able to fine companies who do not comply with EU rules, up to 4% of their global annual turnover.

To deal with what lies ahead companies will have to work in a way we have not done so far:

  • What third-party data does your organisation manage? What data is collected from third parties and where is it stored? Perhaps it’s already something that we have been doing, but now we will have to update.
  • The consent to release data must be explicit. It must be accepted by the user as it will no longer be valid to collect data by default. One of the least “taken care of” aspects by organisations that collect data is that they often subscribe you to their newsletter without you asking for it.
  • The Data Protection Officer is born. A company of more than 250 employees with their main activity in the management and processing of data or special category data, must employ a Data Protection Officer.
  • Implementation of monitoring, management and data protection controls, attending to the user who asks for information about their data.

Following on from the implementation of this new regulation, there will be two possible scenarios:

  • Companies will obey this new regulation and will be able to maintain their clients’ data.
  • Companies will not obey the regulation and will have to give up maintaining this data.

With the introduction of GDPR, consumers will be able to know which companies are capable of maintaining their data depending on whether or not they’re compliant with new regulations. In an overview of absolute control of our data, we can say “no” to companies that ask to keep our information, once we discover they will not be able to do so safely.

More importantly, we can choose which company to protect our data. We will assist in the introduction of portable data, to the point where we can choose to be clients of one company. As organisations, we’ll end up sharing a bed with our clients and their lovers. This will lead to the emergence of companies that offer an “ad-hoc” service to store our data, uncovering a new line of business.

Those companies allowed to manage customer data will be capable of building new products or services based on the knowledge they gain through that process, while less trusted companies will not be able to make use of that data.

GDPR is much more than a just regulation meant to develop specific aspects of what has already been implemented. It is designed to create a new reality, costly to implement, but very ambitious in its objectives with respect to the relationship between clients and companies.

This data will be liquid gold in the hands of the companies most involved with the regulation that the GDPR imposes and will become a headache for companies that arrive late or fail to win the trust of their clientele.

From May 2018 we will be able to prove that our customers are more than just data.