skip to Main Content


Last Updated:
Analyst Coverage: , , and

The EU’s General Data Protection Regulation (GDPR) will apply more-or-less uniformly across the EU from 25 May 2018. It requires an organisation storing or processing the “personal data” of EU citizens to put data privacy – Privacy by Design – at the heart of its data processing. Many observers think that GDPR will become a major cost of doing business in the future. Bloor thinks differently. We see it as an opportunity to add value for your company. It’s an opportunity to leverage “privacy by design” for building trust in the Mutable business.

Why is it important (hot)?

The GDPR means that organisations must significantly change the way in which they protect and process personal data. It gives the subjects (“owners”) of personal data important new rights, including judicial remedies if these rights are infringed and mandatory reporting of data breaches. Organisations must introduce “appropriate technical and organisational measures” to protect personal data – that is, “privacy by design”, with data privacy and security taken into consideration from the start. However, this can also bring bottom-line benefits from managing a “360 degree” view of sensitive data and encouraging data rationalisation.

Remember too that GDPR applies to the personal data of EU citizens outside of the EU. Ovum claims that 63% of US organisations think that GDPR will make them less competitive, while 70% believe that it favours European businesses. These US organisations are probably overlooking the fact that the EU also genuinely takes the privacy of its citizens seriously.

Figure 1 – Percentage of UK businesses, and charities that have made changes to their operations in response to GDPR’s introduction.

Figure 1 – Percentage of UK businesses, and charities that have made changes to their operations in response to GDPR’s introduction.

How does it work?

The full text of the GDPR is here. When reading an Article, don’t overlook the linked Recital, which the authorities will use to elucidate precise meanings. GDPR is based on 7 principles:

  1. Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  2. Purpose limitation – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original processing purposes. However, further conditions in relation to processing for such purposes must be met.
  3. Data minimisation – personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.
  4. Accuracy – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (with some exceptions).
  6. Integrity and confidentiality – personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
  7. Accountability – the controller shall be responsible for and be able to demonstrate compliance with these principles. Being able to demonstrate that you have policies and processes (supported by tools) in place is the key to compliance and avoiding penalties.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. See the GDPR FAQ.

Figure 2 – At the beginning of 2018 two EU Member States have already adopted the relevant national legislation, 26 Member States are at different stages in their legislative procedures and have schedules for adopting the legislation by 25 May 2018.

Figure 2 – At the beginning of 2018 two EU Member States have already adopted the relevant national legislation, 26 Member States are at different stages in their legislative procedures and have schedules for adopting the legislation by 25 May 2018.
Source: “Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018” dated 24/1/18.

GDPR took effect on the 26th May, 2018. It affects any company holding personal data of EU citizens or seeking to move such data in and out of the EU. The UK will introduce equivalent legislation to the GDPR (which will continue after Brexit). And the potential penalties and fines associated with GDPR are eye-watering: there is an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

More important than this, is the reputation risk associated with GDPR – keeping data breaches to yourself will be illegal when GDPR comes in.

Remember, too, that GDPR applies outside Europe, even in the US. It is not “just a barrier to US companies doing business in the EU”, it represents a genuine cultural difference in the way the EU thinks of the privacy of its citizens. And, many other countries are introducing GDPR-like legislation.


Just six per cent of UK businesses have prioritised GDPR, compared to 30 per cent 
in France and 25 per cent in Benelux.
Sophos, 15/06

Less than two thirds (59 per cent) of UK businesses are aware of the implications GDPR will have on their organisation. Roughly three quarters (73 per cent) felt prepared to meet the obligations when it comes to documents and print management.
Kyocera, 29/06

Among US multinationals, 68% expect to spend between $1 million and $10 million, with another 9% expected to spend more than $10 million.

Firstly, it isn’t enough to have processes, policies or technology in place. The fundamental question the Regulator (or, indeed, an aggrieved data subject) will ask is whether your people understood the rules and were confident and competent in applying them.

Secondly, once you understand GDPR, you will need, e.g., data cataloguing, security and privacy tools; and process automation, governance and policy management tools; in order to put your understanding into practice. Building a “360 degree” view of customers, consent management (perhaps using MDM), sensitive data discovery, and appropriate data masking, will all be part of the solution.

These let organisations demonstrate that they are well-governed and effective, compared to their competition. More importantly, however, they allow the fostering of better trust relationships with their customers and employees (who both now “own”, in some real sense, their own personal data).

Business is built on trust and the modern Mutable business must base its business outcomes – profits – on leveraging its trust relationships.

What is the bottom line?

Seize GDPR as an opportunity to build “Privacy by Design” into your processes, thus de-risking mutable change as it affects personal data. Leverage this for increased customer trust, customer loyalty and market-share.


  • AB INITIO logo
  • Alex Solutions (logo)
  • ATACCAMA logo
  • BIG ID logo
  • CLOUDERA logo
  • DATAGUISE logo
  • GDE logo
  • Global IDs logo
  • GROUND LABS logo
  • HITACHI logo
  • IBM (logo)
  • INFOGIX logo
  • Informatica (logo)
  • IRI logo
  • MAGE logo
  • MARK LOGIC logo
  • Oracle (logo)
  • Qlik logo
  • SAP (logo)
  • SEEKER logo
  • SOLIX logo
  • SYNITI logo
  • TALEND logo
  • Waterline Data (logo)
CLOUDERA InBrief (cover thumbnail)

Cloudera Data Platform

Cloudera Data Platform offers data integration, data governance, data cataloguing and transformation capability but not data quality per se.
DATAGUISE InBrief (SENSITIVE DATA) cover thumbnail

Dataguise DgSecure

Dataguise started by offering sensitive data discovery and masking but now includes, additionally, encryption/decryption and extensive reporting.
DISCOVERING SENSITIVE DATA MarketUpdate (cover thumbnail)

Discovering Sensitive Data

This Market Update discusses, reviews and compares products specialising in the discovery of sensitive data.
00002492 - GDPR COMPLIANCE InContext cover thumbnail

GDPR Compliance

GDPR is now a reality and sanctions are starting to bite. What should organisations be doing?
STEALTHBITS InBrief (SENSITIVE DATA) cover thumbnail

STEALTHbits Sensitive Data Discovery

STEALTHbits supports discovery against a comprehensive list of file systems, SharePoint and OneDrive, Exchange, Dropbox, Oracle and Microsoft SQL Server.
SEEKER InBrief (SENSITIVE DATA) cover thumbnail

Seeker DLP

Seeker DLP finds sensitive data within files on Windows and Macs, across SMB-based file servers and web servers.
GLOBAL IDs InBrief (SENSITIVE DATA) cover thumbnail

Global IDs Sensitive Data Discovery

Global IDs offers data discovery and classification as part of its EDA platform, thereby providing sensitive data discovery and compliance with regulations.
Ataccama One InBrief cover thumbnail

Ataccama ONE

Ataccama ONE encompasses data integration, data cataloguing, data profiling and data quality, and both reference and master data management.
Back To Top