skip to Main Content


Last Updated:
Analyst Coverage: , , and

The EU’s General Data Protection Regulation (GDPR) will apply more-or-less uniformly across the EU from 25 May 2018. It requires an organisation storing or processing the “personal data” of EU citizens to put data privacy – Privacy by Design – at the heart of its data processing. Many observers think that GDPR will become a major cost of doing business in the future. Bloor thinks differently. We see it as an opportunity to add value for your company. It’s an opportunity to leverage “privacy by design” for building trust in the Mutable business.

Why is it important (hot)?

The GDPR means that organisations must significantly change the way in which they protect and process personal data. It gives the subjects (“owners”) of personal data important new rights, including judicial remedies if these rights are infringed and mandatory reporting of data breaches. Organisations must introduce “appropriate technical and organisational measures” to protect personal data – that is, “privacy by design”, with data privacy and security taken into consideration from the start. However, this can also bring bottom-line benefits from managing a “360 degree” view of sensitive data and encouraging data rationalisation.

Remember too that GDPR applies to the personal data of EU citizens outside of the EU. Ovum claims that 63% of US organisations think that GDPR will make them less competitive, while 70% believe that it favours European businesses. These US organisations are probably overlooking the fact that the EU also genuinely takes the privacy of its citizens seriously.

Figure 1 – Percentage of UK businesses, and charities that have made changes to their operations in response to GDPR’s introduction.

Figure 1 – Percentage of UK businesses, and charities that have made changes to their operations in response to GDPR’s introduction.

How does it work?

The full text of the GDPR is here. When reading an Article, don’t overlook the linked Recital, which the authorities will use to elucidate precise meanings. GDPR is based on 7 principles:

  1. Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  2. Purpose limitation – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original processing purposes. However, further conditions in relation to processing for such purposes must be met.
  3. Data minimisation – personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.
  4. Accuracy – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (with some exceptions).
  6. Integrity and confidentiality – personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
  7. Accountability – the controller shall be responsible for and be able to demonstrate compliance with these principles. Being able to demonstrate that you have policies and processes (supported by tools) in place is the key to compliance and avoiding penalties.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. See the GDPR FAQ.

Figure 2 – At the beginning of 2018 two EU Member States have already adopted the relevant national legislation, 26 Member States are at different stages in their legislative procedures and have schedules for adopting the legislation by 25 May 2018.

Figure 2 – At the beginning of 2018 two EU Member States have already adopted the relevant national legislation, 26 Member States are at different stages in their legislative procedures and have schedules for adopting the legislation by 25 May 2018.
Source: “Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018” dated 24/1/18.

GDPR took effect on the 26th May, 2018. It affects any company holding personal data of EU citizens or seeking to move such data in and out of the EU. The UK will introduce equivalent legislation to the GDPR (which will continue after Brexit). And the potential penalties and fines associated with GDPR are eye-watering: there is an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

More important than this, is the reputation risk associated with GDPR – keeping data breaches to yourself will be illegal when GDPR comes in.

Remember, too, that GDPR applies outside Europe, even in the US. It is not “just a barrier to US companies doing business in the EU”, it represents a genuine cultural difference in the way the EU thinks of the privacy of its citizens. And, many other countries are introducing GDPR-like legislation.


Just six per cent of UK businesses have prioritised GDPR, compared to 30 per cent 
in France and 25 per cent in Benelux.
Sophos, 15/06

Less than two thirds (59 per cent) of UK businesses are aware of the implications GDPR will have on their organisation. Roughly three quarters (73 per cent) felt prepared to meet the obligations when it comes to documents and print management.
Kyocera, 29/06

Among US multinationals, 68% expect to spend between $1 million and $10 million, with another 9% expected to spend more than $10 million.

Firstly, it isn’t enough to have processes, policies or technology in place. The fundamental question the Regulator (or, indeed, an aggrieved data subject) will ask is whether your people understood the rules and were confident and competent in applying them.

Secondly, once you understand GDPR, you will need, e.g., data cataloguing, security and privacy tools; and process automation, governance and policy management tools; in order to put your understanding into practice. Building a “360 degree” view of customers, consent management (perhaps using MDM), sensitive data discovery, and appropriate data masking, will all be part of the solution.

These let organisations demonstrate that they are well-governed and effective, compared to their competition. More importantly, however, they allow the fostering of better trust relationships with their customers and employees (who both now “own”, in some real sense, their own personal data).

Business is built on trust and the modern Mutable business must base its business outcomes – profits – on leveraging its trust relationships.

What is the bottom line?

Seize GDPR as an opportunity to build “Privacy by Design” into your processes, thus de-risking mutable change as it affects personal data. Leverage this for increased customer trust, customer loyalty and market-share.


  • AB INITIO logo
  • Alex Solutions (logo)
  • ATACCAMA logo
  • BIG ID logo
  • CLOUDERA logo
  • DATAGUISE logo
  • HITACHI logo
  • IBM (logo)
  • INFOGIX logo
  • Informatica (logo)
  • IRI logo
  • MAGE logo
  • Oracle (logo)
  • Progress logo
  • Qlik logo
  • SAP (logo)
  • SEEKER logo
  • SOLIX logo
  • TALEND logo
  • Waterline Data (logo)

These organisations are also known to offer solutions:

  • Global Data Excellence
  • Global IDs
  • Ground Labs
  • Syniti
ORACLE InBrief (cover thumbnail)

Oracle Unified Information Management Platform

Oracle’s data management capabilities span the establishment of (cloud-based) data warehouses and data lakes.
GROUND LABS InBrief (SENSITIVE DATA) cover thumbnail

Ground Labs Enterprise Recon (2020)

Enterprise Recon offers enterprise-wide discovery of personal, PII and PCI data in accordance with a wide range of compliance regulations.
IBM InBrief (cover thumbnail)

IBM Cloud Pak for Data

IBM Cloud Pak for Data places particular emphasis on deploying, developing and managing AI and machine learning models.
QLIK InBrief (cover thumbnail)

Qlik Data Integration Platform

The Qlik Data Integration Platform is essentially a melding of the capabilities provided through the acquisitions of Podium Data and Attunity.
00002552 - DATA GOVERNANCE Market Update cover thumbnail

Data Governance (July 2020)

Data governance, as a space, has matured significantly over the past few years. This Market Update examines and competitively evaluates the vendors therein.
AB INITIO InBrief (SENSITIVE DATA) cover thumbnail

Ab Initio Semantic Discovery

Ab Initio Semantic Discovery is a data discovery solution offered as part of Ab Initio’s broader data management platform.
BIG ID InBrief (SENSITIVE DATA) cover thumbnail


BigID specialises in (sensitive) data discovery and classification and unlike other vendors has been built from the ground up to concentrate in this area.
STEALTHBITS InBrief (SENSITIVE DATA) cover thumbnail

STEALTHbits Sensitive Data Discovery

STEALTHbits supports discovery against a comprehensive list of file systems, SharePoint and OneDrive, Exchange, Dropbox, Oracle and Microsoft SQL Server.
Back To Top