GDPR and Quality

Back to Whitepaper

GDPR and Quality

On May 26, the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect. Initially proposed as part of the EU’s data protection reforms in 2012, the regulations were approved by EU Parliament on April 14, 2016. It replaces Data Protection Directive 95/46/EC and provides consistency between data privacy and protection regulations across EU member nations. It’s GDPR that has prompted recent emails asking you to consent to your continued presence on mailing lists, and pop-ups requesting your permission to store information to personalize your web browsing experience.

Quality is about meeting the stated and implied needs of your customers and prospects. GDPR establishes one of these implied needs: that individuals have the right to agency over their own information -- whether they generate it personally, or it is generated on their behalf (e.g. using web cookies, eye tracking or geolocation).

The cornerstone of GDPR is consent: information about a person belongs to that person. If your organization is collecting data that in any way relates to a citizen of the EU, that person should be informed about how you plan to use that information, and kept informed as your organization’s data management strategy evolves. It doesn’t matter where the individual is located -- universities that have even one student who is a citizen of the EU must also comply.

Many organizations don’t know what data they have or where it is stored, even on site. Similarly, a company might rely on cloud-based storage or Software-as-a-Service (SaaS) but not know where that infrastructure is hosted. Get started with GDPR compliance by answering the following questions:

  1. Storage - Where are you storing information about EU citizens and residents?
  2. Processing - Where are you processing that information, and how is it being processed? Are third parties are able to access and process that information, and if so, how, and for what purpose?
  3. Access and Audit - How can a person find out what information you have about them, where and how it is being processed, and for what purpose?
  4. Right to be Forgotten - How can a person request that their information be deleted, or that processing by your organization or by third parties be halted?
  5. Breach - How will you notify stakeholders whose information has been lost or stolen?
  6. Supplier Compliance - How are your cloud-based services and SaaS providers answering these questions?


If your organization sells products to EU citizens, collects personal information or tracks the web browsing behavior of EU citizens or residents, stores data on EU-based servers, or uses cloud-based applications hosted in the EU, you will need to comply with GDPR.

See our previous article about how the GDPR is relevant to EHSQ applications by clicking HERE(or follow this link https://community.intelex.com/explore/posts/general-data-protection-regulation-0).

Additional Resources:

European Commission (2018). EU GDPR Information Portal. Retrieved from https://www.eugdpr.org/

European Commission (2018). Rights under GDPR. Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en

Palmer, D. (2018, May 23). What is GDPR? Everything you need to know about the new general data protection regulations. ZDNet. Retrieved from https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/

Pardes, A. (2018, May 24). What is GDPR and why should you care? Wired. Retrieved from https://www.wired.com/story/how-gdpr-affects-you/

Click here to download now!