Tick-tock, tick-tock…the countdown has begun – an Overview of GDPR

Blog post by Stephen Sherry, Principal Consultant, Data Management, Version 1

All organisations which capture, store and manage data about European Union citizens need to conform to and abide by a range of data protection regulations and governance procedures and evidence to a required level of traceability that this compliance has been achieved.  The number of high profile data breaches and organisational data protection failures is increasing and this is becoming a key driver in future state enterprise architectures and technology roadmaps. When it comes to preparation for GDPR many Organisations are still less than fully prepared for the impact on Operations, on technology roadmaps and future state architecture.[1]


Previously these issues were mainly the concern of major enterprises but the introduction of the General Data Protection Regulation (GDPR) legislation and the proliferation of online business systems with cloud processing and storage models, mean this is increasingly an issue that touches all organisations regardless of size, scope and commercial or non-commercial basis.

The General Data Protection Regulation (GDPR) in a nutshell

GDPR was first formulated by the EU in 2009, the proposal was published in 2012, adopted by the European Parliament in April of this year and the final text published in May 2016. We are now in a two year grace period after which the GDPR will be fully enforceable throughout the European Union on May 25th 2018. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) covers both the areas of data protection and information security and is intended by the European Commission to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.

Under the current European Data Protection Directive (95/46/EC) the burden of compliance rests principally with Data Controllers rather than Data Processors. If a Processors is carrying out processing activities on behalf of a Data Controller – as for example in most Cloud service agreements – then the EU Directive does not directly apply. GDPR changes all this and the expanded reach in relation to processing of personal data means the Data Processors are now fully within the scope of the Regulation.

The new legislation is significantly different to previous legislation in this area and is much more diverse in terms of scope and coverage and comes with Extraterritorial effect: Under the GDPR even companies outside the EU will be affected. Entities located outside the EU that offer goods or services to residents in the EU or that monitor EU residents’ behaviour (as far as that behaviour takes place within the EU) will be subject to the regulation. Relevant systems are required to be suitably amended and adjusted by May 25th 2018 and this has a direct impact and relevance to the timings and scope of the data architecture and related solutions in future technology roadmaps.

So, all in all, lots of work to be done across all aspects of the enterprise and in collaboration with many organisations teams. The clock is ticking towards 25 May 2018…

In the next blog article in this series we consider the key changes in GDPR and the key considerations for technology architects to understand as part of future technology roadmaps and associated future state architectures.