Bluetree and GDPR

Bluetree have always taken a firm stance when it comes to data protection and the way in which we process personal information; the introduction of the updated GDPR regulations on 25th May 2018 have further focused our attention, making us even more vigilant in ensuring we store and dispose of personal information in the right way and to the correct timescales.

An update of data protection regulations that were created in 1995, GDPR was born out of a broad array of complex amendments. Aimed at keeping track of how businesses handle personal data, the idea was first mooted in early 2012 as a much-needed upgrade to the Data Protection Directive of 1995. It enhances existing data protection law by introducing new rules for organisations and new rights for individuals.

GDPR is implemented through a new data protection bill and breaking the rules could lead to fines of up to €20 million or 4% of global turnover (whichever is higher) or reputational damage. GDPR doesn’t just apply locally but to all companies doing business in the EU. The legislation places strict control over the transport of data abroad unless the destination country has guidelines “in alignment with strict standards of GDPR”.

What is personal data, and how does this legislation affect you?

Technology is continuing to rapidly change the way we live, work and learn. Since 1995, the computing world has undergone huge amounts of change, most notably the ability to collect, analyse, and manipulate data has exploded.

GDPR now requires organisations to take management of personal information seriously and, for the first time, data now has a liability dimension. In the past, the general attitude of engineering and marketing organisations was ‘collect as much data as you can and keep it forever’. Companies may not even have had a good reason for retaining it, it was more a ‘just in case’ way of thinking.

Now there is a liability to collecting data, and organisations must rationalise why they are collecting it. Is it really needed to conduct business? The principle is clear – collect only what you really need and keep it only as long as defined. The legislation states that permission to use this data must be granted on a per use basis. So, if an organisation has consent to use data for test A, they cannot use it for test B, unless explicit permission is granted.

GDPR can be regarded as a proverbial carrot to encourage organisations to be transparent with how they are processing or using data, with which they can increase the level of trust and engagement of an organisation’s employees and customers. Alternatively, it can be looked at as a hammer to whack organisations that show blatant disregard for the care and security of data.

This legislation is an attempt to level the playing field, addressing who actually owns the data that is being fed into big data, AI, and deep learning. Essentially it defines three parties: the data subject, the data controller, and the data processor.

Know your rights

GDPR codifies eight fundamental rights with respect to the data subject.
These include:
• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights in relation to automated decision making and profiling

The Data Controller is any organisation that collects and holds data from the data subject. All organisations (government, non-profits, businesses, universities, etc.) are subject to GDPR. The only bodies explicitly excluded from GDPR are Foreign Services, Intelligence Services, and Police Services.
The Data Processor is any organization that provides services that utilize the personal information of the data subject on behalf of the data controller. The data processor must also ensure that they comply with all the articles of the GDPR.

For further information please contact our Data Controller Claire Newman on