Big Data Privacy Risks And The Role Of The GDPR: Part 2

Evelyne Salie

Part 2 of a 2-part series. Read Part 1.

The European Union’s General Data Protection Regulation (GDPR) is prompting companies to take extra efforts to guarantee the data privacy rights of its business partners, including employees, customers, vendors, and so on.

My last blog discussed the six ways Big Data analytics can threaten personal privacy as well as the two parties that are prompted to take protective actions by the GDPR: individuals and companies with customers in the EU. Individuals can distinguish the risks they are willing to take by asking themselves the following questions:

  • What data am I making publicly available, and where are the potential threats?
  • What risks can I avoid, and on which data do I have no influence?
  • Do I have any right to claim my data? Where can I make that claim?

GDPR sets a base for future development in global data protection and security. As KPMG wrote, “It is fair to say that this new legislation is the biggest and most impactful change in privacy and data protection regulation in history. This regulation came about after more than four years of deliberations and negotiations and will impact organizations worldwide.”


Changes ahead

As outlined in EY’s report EU General Data Protection Regulation in the Digital Age: Are You Ready? GDPR requires fundamental changes in how data is processed, stored, and used.

Data protection officers (DPOs)

  • DPOs must be appointed if an organization conducts large-scale systematic monitoring or processes large amounts of sensitive personal data

Accountability: Organizations must prove they are accountable by:

  • Establishing a culture of monitoring, reviewing, and assessing data processing procedures
  • Minimizing data processing and retention
  • Building in safeguards to data processing activities
  • Documenting data processing policies, procedures, and operations that must be made available to the data protection supervisory authority on request

Privacy impact assessments

  • Organizations must undertake privacy impact assessments when conducting risky or large-scale processing of personal data


  • Consumer consent to process data must be freely given and for specific purposes
  • Customers must be informed of their right to withdraw their consent
  • Consent must be “explicit” in the case of sensitive personal data or trans-border dataflow

Mandatory breach notification

  • Organizations must notify a supervisory authority of data breaches “without undue delay” or within 72 hours, unless the breach is unlikely to be a risk to individuals
  • If there is a high risk to individuals, those individuals must be informed as well

New rights

  • The right to be forgotten – the right to ask data controllers to erase all personal data without undue delay in certain circumstances
  • The right to data portability – where individuals have provided personal data to a service provider, they can require the provider to “port” the data to another provider, provided this is technically feasible

Privacy by design

  • Organizations should design data protection into the development of business processes and new systems
  • Privacy settings are set at a high level by default

Obligations on processors

  • Data processors become an officially regulated entity

Joint controllers

  • Data protection responsibility might split among several controllers


Though responsibility to protect their data does lie on every individual using Internet services (whether online shopping, banking, gaming, or social media), the new EU regulations explicitly require that companies take a more active role in data protection.

Given these changes, the role and importance of information management and governance in data privacy will be a key success factor for all organizations with EU customers.

There are solutions and services available to help you provide protection, availability, resilience, and governance for one of your most important assets – individuals’ data.

For more information, see:

This was originally published on the SAP BusinessObjects Analytics blog and is republished with permission.

Follow SAP Finance online: @SAPFinance (Twitter)|LinkedIn|Facebook|YouTube

Evelyne Salie

About Evelyne Salie

Evelyne is a highly experienced IT-Solution Principal, Business Developer and Project Manager with over 10 years IT- industry experience within the Governance Risk and Compliance and Finance area of expertise. She currently works as a Senior Director in Business Development at SAP Finance and GRC solutions. In her business development role she is working on concepts and realization for new generation of Finance solutions, running in real time, integrating predictive, Big Data, and mobile, which will change how offices of the CFO work, how the business is run, and how information is consumed.