GDPR: greater accountability to guarantee the privacy of personal data

Mar Castaño

20 July 2017

170720 gr rebelthinking data wp 1

On May 25th, 2018 the General Data Protection Regulation (GDPR) will como into application, a regulation approved by Parliament and the European Commission in April 2016, for the purpose of regulating the treatment and protection of data across the entire European Union. The GRDP serves a dual purpose; it offers citizens more control over their personal information in this digital age, and establishes clear guidelines for companies when it comes to safeguarding the privacy of the data.

This new regulation affects those responsible for the collection and processing of data from European citizens, regardless where their business is located, whether inside or outside the European Union, and even if the organisation does not have a physical presence within the EU.

This regulation will strengthen global awareness around the privacy of individuals, ensures proactive responsibility on the part of companies and guarantees high protection standards, adapted to suit the digital environment, for the whole of the EU.

Active role of businesses

One of the major issues related to the GDPR has to do with the role of businesses in the management of personal data; organisations must maintain active and ongoing responsibility for risk assessment and the adoption of technical and organisational solutions that ensure compliance with those measures put in place to protect the rights of individuals.

Winning customer confidence in order to obtain and make use of their data is one of the biggest challenges companies face today. For that reason, transparency and respect for privacy are two features a company can demonstrate in order to distinguish themselves.

Nowadays, all marketing strategies depend and are based on consumer data. Technologies like Big Data and machine learning make make it possible to analyse consumer information against multiple variables using real and accurate data, and reach customers in a more effective way.

Data Driven Marketing is an increasingly important trend; it generates knowledge from personal data, and by combining internal data sources (identifying and sociodemographic data, purchasing through loyalty cards, searching websites, etc.) with external sources (conversations on social networks, sensors, location of mobile phones, etc.) it allows us to;

  • Set consumption patterns.
  • Predict consumer behavior.
  • Customise offers based on tastes, interests and needs.
  • Determine what content is most relevant, and what content enhances consumer involvement with the brand.
  • Improve the customer experience across all channels of interaction.
  • Optimises and adjusts campaigns in real time to improve efficiency.

In this context, ethical and legal principles that govern the use of information should not be construed as barriers to progress, but as guarantors of the appropriate, transparent and verifiable use of data to generate direct links between the company and its customers, and prevent illicit use of sensitive information.

The great innovations of GDPR

These are the main issues that organisations should consider in preparation of the new rules.

Unambiguous and explicit consent

Informing clauses, privacy policies or terms and conditions that concern the processing of personal data should be clear, concise and explain the terms by which personal information will be used in a way that is simple and easy to understand. In addition only data strictly necessary for the purposes intended should be collected and processed.

Unless the person gives their explicit consent by way of declaration or affirmative action (written declaration or by electronic means, verbal statement, checking a box on a web, etc.) they should not be contacted, their data should not be used to develop business profiles, nor should any of their data be processed.

This is one aspect of the new regulation that will cause a significant impact, since no longer will companies be able to rely on implied consent (silence ticked boxes, inaction affected, etc.); the controller shall implement measures to prove that the consent was given in the right way.

Safety measures and risk analysis

The GDPR will entrust companies with the responsibility of identifying the security measures implemented during data processing, and require that they demonstrate that these measures comply with regulations and are truly effective

In the event of security breaches occur, those responsible should make it known to the national supervisory authority within 72 hours; and to those affected when there is any risk to their rights.

The GDPR also presupposes an ongoing activity in the analysis of security vulnerabilities on the part of the company, in order to select and implement the most advanced technologies to prevent or block cyberattacks.

Chief Data Protection

The regulation introduces a new figure, the DPO – Data Protection Officer. The hiring of a DPO will be mandatory for public entities and companies whose main activities involve the continued and systematic observation of prospects at large scale, or large scale treatment of special categories of data.

The DPO will be responsible for ensuring compliance with the new regulations, the application of appropriate safety measures (depending on the risk associated with each case), and the reporting of security breaches and the processing of necessary authorisations.

They will be chosen by the controller, according to their professional qualities and regulatory and practical expertise. They may already be part of the staff of the company or an external worker.

Privacy by Design

This new regulation also means that the design of products or services related to the obtaining of personal data privacy is guaranteed from the early stages of project development.

Techniques such as pseudoanonymity, encryption or protection default profiles where personal data is not accessible to others without the intervention of the parties concerned, are examples of privacy-oriented techniques that should be taken into consideration at during the process of designing products or services.

One stop shop

This new regulation establishes a single authority to resolve cross-border disputes, whenever several national supervisory authorities are involved. Thus, companies with subsidiaries in several states will only have to deal with the data protection authority belonging to the European country where they are headquartered.


Penalties affect both the perpetrators and those responsible for safeguarding the data. The heaviness of the fine is defined in terms of noncompliance; fines at level 1 of noncompliance may reach up to 10 million euros or 2% of the volume of the total annual turnover of the previous financial year, and at level 2, up to 20 million euros or 4%.

In conclusion, the GPDR rises to a new stadium the management of personal data in companies, on which relies an active and permanent responsibility both in risk assessment as in the adoption of measures to ensure the privacy rights of individuals.