GDPR: The Rules Of Engagement

I attended a public event in London on 7 March when OneTrust, a company with expertise in enterprise privacy management software, welcomed a slew of market specialists and operators who are looking at how the new rules of engagement dictated by the new General Data Protection Regulation (GDPR) could change our competitive landscape in the months and years to come.

(Source: Superoffice)

If you have never heard of the GDPR, you should start to familiarise with PrivacyConnect, which is a global community of privacy professionals focused on tools/best practices aimed at implementing solutions that strictly follow the rules of engagement.

Attendees included lawyers, risk management firms, IT specialists as well as the press, which testifies to the importance of the changes currently underway across different sectors. Given the uncertainty still surrounding the regulatory framework, many topics were actively debated to try to form consensus as far as some key GDPR elements were concerned.

As a reminder, the GDPR will become effective on 25 May 2018.

Here are the key takeaways from the material I sighted, integrated with the official text of the regulation.

1) Consent

“Consent” of the data subject “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

More broadly, according to the GDPR text:

“Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

Companies “should make sure that they only rely on consent to legitimize their processing activities in the right circumstances.”

Consent is NOT appropriate when:

  • Data would still be processed if consent refused or withdrawn;
  • Consent cannot be refused or withdrawn without detriment;
  • Controller in a position of power over data subject;
  • Processing activity is necessary for performance of a contract.

2) Responsibility

In a nutshell, controllers hold a key position and are in charge, for example, for “Data Subject Requests”. Meanwhile, processors – who could also act as controllers – share the responsibility when/if unfair processing of data emerges.

Possible fines associated to a GDPR breach are calculated based on:

  • Chain of control and systems already in place;
  • Nature, type, gravity, extent and duration of the infringement;
  • Actions taken by the controller or processor to mitigate, negate or notify affected parties (including Information Commissioner’s Office of a breach.

3) Data Subject Rights

Have a look at the image below — there exist eight data subject rights (full text here).

gdpr rights
(Source: ServeIT)

4) Cookies compliance

The GDPR states cookies that can identify an individual may constitute personal data (Recital 26 and Recital 30*).

  • Cookies that constitute personal data need a legal basis for processing purposes;
  • Cookie law (ePrivacy Directive and pending ePrivacy Regulation) say the aforementioned legal basis should be: consent;
  • Consent requirements are restrictive, and the ePrivacy Regulation is expected to mirror these new needs.

* Please note that according to EU law, a recital can, and should, be taken into account when interpreting the meaning of a contractual agreement.


5) Data inventory and Mapping

Data Inventory is defined as follows.

“A data inventory is a record of the data flows and assets that an organisation handles. A data inventory is typically organized according to the data lifecycle of collection, processing, transfers, storage, protection, and retention – or another similar framework”

Data Map is defined as followed.

“A data map is a visual representation of the data inventory.

Data maps usually focus on the representation of the data flows and cross-border data transfers that can also visually indicate and highlight high-risk processing of the data.

6) Data Protection by design and by default

This means “that privacy is embedded into product design and development to make sure the proper choices are available for people using the products, and the default options are the most privacy preserving.”

“The Privacy Impact Assessment (PIA)/Data Protection Impact Assessment (DPIA) is a critical operational and record keeping tool to be able to demonstrate compliance with Article 25,” which, in paragraph 1 adds “ […] the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” Moreover, the controller “shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. […]”

GDPR also requires the tracking of processing activities in order to demonstrate compliance (Article 24) and accountability (Article 5); finally, the PIA helps controllers meet certain obligations by storing the full track record.

If you wish to know more about Hedging Beta services, including Chatbots, SEO, GDPR and more, please get in touch with our team at

(This post was written by Gian Mario Contessa, CTO of Hedging Beta. Gian Mario has spent over a decade in the software and technology sector. His experience spans Mobile-Oriented Architecture as well as Multi-Tenant Cloud Microservices and Software as a Service (SAAS). He worked to develop complex systems and tools, managing teams in Barcelona (Spain), London (UK) and Hanoi (Vietnam). A market specialist, he focuses on process analysis, “scaling”, tech strategy and research & development. Prior clients include: Arcadia Group, The White Company, Wickes and Sainsbury’s.





Leave a Reply

Notify of