Stibo Systems - The Master Data Management Company

Frequently Asked Questions (FAQ) About the GDPR

Master Data Management Blog by Stibo Systems logo
| 10 minute read
May 30 2018

Friday the 25th of May 2018 will probably go over in digital history as a day to remember, as it marks the day the General Data Protection (GDPR) kicked in, unlocking a whole new standard for what to do—and more importantly not to do—with the personal data of European Union citizens. The GDPR is predicted to be the spark that lights a new data protection mindset with both consumers and businesses—and not just in the EU, but globally.

Up until this date, a lot of the information about the GDPR has been aimed at enterprises, guiding them to compliance. But really, the regulation is largely created with the aim of serving individuals. So, in this blog post we’ll fill you in on what the regulation means for you as a European Union consumer (we’ll cover what it means for non-EU citizens further down the text). What exactly can you expect of companies and organisations in a post-GDPR world? Read on, and find out. Perhaps organisations can even learn a thing or two from this post.

Let’s start with an overview of your new rights and then dive into the details of each before we move on to a few FAQs (Frequently Asked Questions) and their answers.

1. Consent privileges

2. Right to more (transparent) information

3. Data ownership rights

Right to be forgotten (right to erasure)
Right to access
Right to data portability
Right to rectification
Right to object
Right to restriction of processing

4. Right to data breach information


FAQ 1. Consent privileges

“Do you want to continue hearing from us? Then we need your consent.” Maybe your inbox has had quite a lot of emails with similar wording lately? That is due to the consent requirements of the GDPR that states that organisations can only process data of a person in specific cases (e.g., if it is necessary for an organisation’s compliance with a legal obligation or in order to protect the vital interests of an individual or—and this will be the default situation in most cases—if a person “has given consent to the processing of his or her personal data for one or more specific purposes”).

In most cases, this means that you have to give your acceptance before an organisation can market directly to you. And, not just any acceptance, but a purpose-specific acceptance. Pre-GDPR, very few companies—in fact I know none—practiced purpose-specific consent, but post-GDPR that is the new norm. If the purposes of the processing activity change after your consent is obtained or an organisation wants to use your data for an additional purpose, new and specific consent from you is required.

The GDPR defines consent as the following: “Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In other words, your consent has to be given “freely,” and you have to perform a “clear affirmative action.” But, what does that mean?

French law firm Mathias Avocats gives a splendid example of a situation where consent is not given freely: “For example, if a mobile app for photo editing requires users to have their GPS location activated for the use of its services, consent cannot be considered as freely given for the processing of the GPS data. Indeed, the users cannot refuse to activate their GPS location (or they won’t be able to use the app), and the latter is not necessary for photo editing.”

If your consent is to be considered valid, you need to have given it of your own free will, not as a bundled up, non-negotiable part of terms and conditions of a contract or a service. Furthermore, the physical text where it is written that you give your consent must be distinguishable from other text. If not, your consent is not binding. The GDPR says about this:

“If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”

An “affirmative action” on the other hand, means that YOU have to do something (e.g., tick a box that says: “I consent.”). The box can’t be pre-ticked if your consent is to be considered valid.

Post-GDPR you have the right to withdraw your consent at any time. According to the GDPR, it shall be as easy to withdraw as to give consent.

You always have the right to request seeing what you have consented to. It is the responsibility of the organisation to demonstrate towards you—and authorities for that matter—that they have your consent to the processing of your personal data.


FAQ 2. Right to more (transparent) information

In a post-GDPR world, the communication you receive from an organisation about your data will both be more clear and written in a language you can actually understand, and you can also expect much more of it. According to the GDPR’s Article 12, organisations need to provide any information relating to data processing in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

This means you need to be able to understand exactly what is going to be happening to your data. You have the right to receive this information in writing, but you actually also have the right to receive it orally, if you can prove your identity. If you’re having problems deciphering any data-related information, you can contact the organisation or its data accountable, who’s contact information also needs to be provided to you.

At the time when your personal data is being collected, for instance when you sign up for a new newsletter, you will have the right to receive following information, according to the GDPR’s Article 13:

  • The identity and the contact details of the organisation
  • The contact details of the Data Protection Officer (DPO), if the organisation has one
  • The purposes of the data processing
  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
  • The recipients or categories of recipients of the personal data, if any
  • Where applicable, the fact that the organisation intends to transfer personal data to a third party
  • The existence of the rights under the GDPR (e.g., the right to rectification, erasure and data portability)
  • The existence of the right to withdraw consent at any time
  • The existence of the right to lodge a complaint with a Supervisory Authority (each member state has chosen one or more independent public authorities, the Supervisory Authority, to be responsible for monitoring the application of the GDPR)
  • Where applicable, the existence of automated decision-making, including profiling as well as  information about the logic involved, as well as the consequences of such processing for you

If an organisation later wants to use your data for a purpose other than the one already communicated to you when your data was collected, it needs to provide information to you about the new purpose and again—for how long it expects to keep your data.


FAQ 3. Data ownership rights

In a pre-GDPR world, once you handed over your data to a company, the company basically owned your data. In a post-GDPR world, YOU own your data. You’re merely lending it to organisations in order to help them know you better and service you better.

In a post-GDPR world you now have several rights relating to your data:

a) The right to be forgotten (in the GDPR called "the right to erasure")

You have the right to have your personal data removed and deleted completely from an organisation’s database if, for example:

  • You object to the processing.
  • You withdraw your consent.
  • Your personal data are no longer necessary in relation to the purposes for which they were collected or processed.
  • Your personal data have been unlawfully processed.

There are very few exceptions to this right, such as if your data has been collected for legal or scientific reasons. The burden of proving this, and thus refusing to erase your data, is with the organisation.

b) The right to access

This right means that you have the right to know what is happening to your data, and what type of data an organisation holds on you. The GDPR says:

“The data subject (i.e., you) shall have the right to obtain from the controller (i.e., an organisation processing your data) confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data(…).”

Per "the right to access," you can ask to know what the purpose of your data processing is, who has access to it (e.g., third parties) and how long it is expected to be kept. Furthermore, you have the right to receive a copy of the personal data undergoing processing.

c) The right to data portability

You have the right to transfer your personal data directly from one organisation to another. The GDPR says about this right:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”

This could prove relevant for you, when you are to, for example, receive products or services from an organisation related to the one that holds your personal data. For instance, you can ask your energy company to transfer your data to a solar roof company, before getting an offer from the latter. Or, if you are unsatisfied with an organisation, you can even ask of it that it transfers your personal data to a competitor, and then erases all your data.

d) The right to rectification

You have the right to have your personal data modified, for instance correcting inaccurate personal data and have incomplete personal data completed. You can ask an organisation to do so either in writing or orally.

e) The right to object

You have the right to object to the use of your personal data for specific purposes, such as profiling, and the organisation processing it then needs to stop it, unless the processing is “necessary for the performance of a task carried out for reasons of public interest.”

f) The right to restriction of processing

The right to restrict processing basically means you can ask a company not to use your information, only to store it. The European Commission gives a good example where this right can come in handy for you:

“A new bank on the domestic market offers good home loan deals. You are buying a new house and so decide to switch banks. You ask the ‘old’ bank to close down all accounts and request to have all your personal details deleted. The old bank, however, is subject to a law obliging banks to store all customer details for 10 years. The old bank is legally obliged to store your data, but you can still ask for restriction of the data to make sure that it’s not accidentally used for unwanted purposes.”


FAQ 4. Right to personal data breach information

In a post-GDPR world you have certain rights when it comes to data breaches involving your personal data. But first, what does the GDPR constitute as a "personal data breach?" It is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

If your personal data is involved in a data breach that is likely to result in a high risk to your rights and freedom, the organisation responsible for processing your data needs to communicate in a clear and plain language the data breach to you without undue delay, including communication about:

  • The name and contact details of the Data Protection Officer (DPO) or other contact point where more information can be obtained
  • The likely consequences of the personal data breach
  • The measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

There are, however, exceptions where an organisation is not legally required to communicate a data breach to you (e.g., if it has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach or if the communication would involve “disproportionate” effort). In an example as the latter, the organisation is instead required to do a public communication or similar communication whereby you and others are informed in an equally effective manner about the data breach.

Answering the unanswered GDPR questions

Now we’ve covered the basics of what you can expect in a post-GDPR world. But wait, there’s more! Here’s some of the most Frequently Asked Questions from a consumer perspective—and of course their answers.

How fast can I expect an organisation to react to my personal data request?

According to the GDPR, an organisation needs to react to your request as soon as possible and in any event within one month of your request. Depending on the complexity and number of your requests, the organisation has the right to extend with two further months, but in that case, needs to inform you about it, including the reason for the delay.

If an organisation decides not to take action on your request, it needs to inform you about it without delay and at the latest within one month of your request, including the reasons for not taking action and informing you about the possibility of leaving a complaint with your regional Supervisory Authority.

What do I do if I experience a violation of my personal data rights?

It depends on the character of the violation. If you for instance experience direct marketing from an organisation that you haven’t given consent to (or don’t recall that you have) you can start using your data rights, e.g. the right to access in order to be informed about what data the organisation holds on you and with what purpose.

If you feel that your personal data aren’t safe or you don't wish to receive communication from a particular organisation, you can always use your right to be forgotten.

If you experience a severe personal data violation or an organisation just won’t respond to your requests, you need to reach out to the Supervisory Authority in your region to leave a formal complaint. 

Do I have right to compensation if my personal data is leaked?

“Maybe” would probably be the most correct answer in this point of time. The GDPR does say: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

However, it is very difficult to predict at this stage as courts have not yet considered any compensation claims brought under the GDPR.

Do I have to pay anything to practice my rights?

Until a certain degree, no. However: “Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request.”

The organisation however needs to demonstrate the “manifestly unfounded or excessive” character of a request.

Do I have any personal data rights if I’m not a European Union citizen?

In principle you only have your regional data protection regulations. However, you can expect that international organisations will follow GDPR’s lead and offer the same personal data "services" to you as to any EU citizen. However, you do not have the legal basis to demand those rights. It is expected, though, that the GDPR will raise data protection standards globally, as other regions will most likely follow in the European Commission’s footsteps. 

The GDPR in a nutshell …

So, there you have it. GDPR for consumers in a nutshell. We hope you are now equipped to take back the ownership of your personal data. Maybe you’re going to start withdrawing consents right now. Or maybe you’re never going to use any of your new rights. Either way, you can be sure that your personal data is better taken care of after May 25, 2018, than it was before.

Master Data Management Blog by Stibo Systems logo

Martin Samuel Nielsen is the Chief Information Security Officer (CISO) at Stibo Systems. Martin, who has worked with information security in some of Northern Europe’s biggest companies, including Vestas and Velux, has a great passion for making data protection and information security an integral part of the daily business processes. He holds several personal information security certifications, such as CISA, ESL, CISSP, CISM and CRISC. Martin is also the leading force behind Stibo Systems’ ISO/IEC 27001:2013 certification, the international standard outlining best practices for information security management.

Discover Blogs by Topic

  • MDM strategy
  • Data governance
  • Customer and party data
  • See more
  • Retail and distribution
  • Manufacturing
  • Data quality
  • Supplier data
  • Product data and PIM
  • AI and machine learning
  • CPG
  • Financial services
  • GDPR
  • Sustainability
  • Location data
  • PDX Syndication

The Difference Between Master Data and Metadata?


Master Data Management Roles and Responsibilities


8 Best Practices for Customer Master Data Management


What Is Master Data Governance – And Why Do You Need It?


Guide: Deliver flawless rich content experiences with master data governance


Risks of Using LLMs in Your Business – What Does OWASP Have to Say?


Guide: How to comply with industry standards using master data governance


Digital Product Passports - A Data Management Challenge


Guide: Get enterprise data enrichment right with master data governance


Guide: Getting enterprise data modelling right with master data governance


Guide: Improving your data quality with master data governance


Data Governance Trends 2024


NRF 2024 Recap: In the AI era, better data can make all the difference


Building Supply Chain Resilience: Strategies & Examples


How Master Data Management Can Enhance Your ERP Solution


Shedding Light on Climate Accountability and Traceability in Retail


What is Smart Manufacturing and Why Does it Matter?


Future Proof Your Retail Business with Composable Commerce


5 Common Reasons Why Manufacturers Fail at Digital Transformation


How to Digitally Transform a Restaurant Chain


Three Benefits of Moving to Headless Commerce and the Role of a Modern PIM


12 Steps to a Successful Omnichannel and Unified Commerce


CGF Global Summit 2023: Unlock Sustainable Growth With Collaboration and Innovation


Navigating the Current Challenges of Supply Chain Management


Responsible AI relies on data governance


Product Data Management during Mergers and Acquisitions


A Complete Master Data Management Glossary


4 Ways to Reduce Ecommerce Returns


Asset Data Governance is Central for Asset Management


4 Common Master Data Management Implementation Styles


How to Leverage Internet of Things with Master Data Management


Manufacturing Trends and Insights in 2023-2025


Sustainability in Retail Needs Governed Data


What is Augmented Data Management?


NRF 2023: Retail Turns to AI and Automation to Increase Efficiencies


What is the difference between CPG and FMCG?


5 Key Manufacturing Challenges in 2023


What is a Golden Customer Record in Master Data Management?


The Future of Master Data Management: Trends in 2023-2025


Innovation in Retail


5 CPG Industry Trends and Opportunities for 2023-2025


Life Cycle Assessment Scoring for Food Products


Retail of the Future


Omnichannel Strategies for Retail


Hyper-Personalized Customer Experiences Need Multidomain MDM


What is Omnichannel Retailing and What is the Role of Data Management?


Most Common ISO Standards in the Manufacturing Industry


How to Get Started with Master Data Management: 5 Steps to Consider


What is Supply Chain Analytics and Why It's Important


What is Data Quality and Why It's Important


A Data Monetization Strategy - Get More Value from Your Master Data


An Introductory Guide: What is Data Intelligence?


Revolutionizing Manufacturing: 5 Must-Have SaaS Systems for Success


An Introductory Guide to Supplier Compliance


What is Application Data Management and How Does It Differ From MDM?


Digital Transformation in the Manufacturing Industry


Master Data Management Framework: Get Set for Success


Discover the Value of Your Data: Master Data Management KPIs & Metrics


Supplier Self-Service: Everything You Need to Know


Omnichannel vs. Multichannel: What’s the Difference?


Digital Transformation in the CPG Industry


Create a Culture of Data Transparency - Begin with a Solid Foundation


The 5 Biggest Retail Trends for 2023-2025


What is a Location Intelligence?


Omnichannel Customer Experience: The Ultimate Guide


Location Analytics – All You Need to Know


Omnichannel Commerce: Creating a Seamless Shopping Experience


Top 4 Data Management Trends in the Insurance Industry


What is Supply Chain Visibility and Why It's Important


6 Features of an Effective Master Data Management Solution


What is Digital Asset Management?


The Ultimate Guide to Data Transparency


How Manufacturers Can Shift to Product-as-a-Service Offerings


How to Check Your Enterprise Data Foundation


An Introductory Guide to Manufacturing Compliance


Multidomain MDM vs. Multiple Domain MDM


Making Master Data Accessible: What is Data as a Service (DaaS)?


How to Build a Successful Data Governance Strategy


What is Unified Commerce? Key Advantages & Best Practices


How to Choose the Right Data Quality Tool?


What is a data domain? Meaning & examples


6 Best Practices for Data Governance


5 Advantages of a Master Data Management System


A Unified Customer View: What Is It and Why You Need It


Supply Chain Challenges in the CPG Industry


Data Migration to SAP S/4HANA ERP - The Fast and Safe Approach with MDM


The Best Data Governance Tools You Need to Know About


Top 5 Most Common Data Quality Issues


What Is Synthetic Data and Why It Needs Master Data Management


What is Cloud Master Data Management?


How to Implement Data Governance


Build vs. Buy Master Data Management Software


Why is Data Governance Important?


Five Reasons Your Data Governance Initiative Could Fail


How to Turn Your Data Silos Into Zones of Insight


How to Improve Supplier Experience Management


​​How to Improve Supplier Onboarding


How to Enable a Single Source of Truth with Master Data Management


What is a Data Quality Framework?


How to Measure the ROI of Master Data Management


What is Manufacturing-as-a-Service (MaaS)?


The Ultimate Guide to Building a Data Governance Framework


Introducing the Master Data Management Maturity Model


Master Data Management Tools - and Why You Need Them


The Dynamic Duo of Data Security and Data Governance


How to Choose the Right Supplier Management Solution


How Data Transparency Enables Sustainable Retailing


What is Supplier Performance Management?


What is Party Data? All You Need to Know About Party Data Management


What is Data Compliance? An Introductory Guide


How to Create a Marketing Center of Excellence


The Complete Guide: How to Get a 360° Customer View


How Location Data Adds Value to Master Data Projects


How Marketers Should Prepare for the 2023 Holiday Shopping Season


What is Supplier Lifecycle Management?


What is a Data Mesh? A Simple Introduction


How to Build a Master Data Management Strategy


10 Signs You Need a Master Data Management Platform


What Vendor Data Is and Why It Matters to Manufacturers


3 Reasons High-Quality Supplier Data Can Benefit Any Organization


4 Trends in the Automotive Industry


What is Reference Data and Reference Data Management?


What Obstacles Are Impacting the Global Retail Recovery?


GDPR as a Catalyst for Effective Data Governance


All You Need to Know About Supplier Information Management


5 Tips for Driving a Centralized Data Management Strategy


Data Governance and Data Protection, a Match Made in Heaven?


Welcome to the Decade of Transparency


How to Become a Customer-Obsessed Brand


How to Create a Master Data Management Roadmap in Five Steps


What is a Data Catalog? Definition and Benefits


How to Improve the Retail Customer Experience with Data Management


How to Improve Your Data Management


How to Choose the Right Master Data Management Solution


Business Intelligence and Analytics: What's the Difference?


Spending too much on Big Data? Try Small Data and MDM


What is a Data Lake? Everything You Need to Know


How to Extract More Value from Your Data


Are you making decisions based on bad HCO/HCP information?


Why Master Data Cleansing is Important to CPG Brands


CRM 2.0 – It All Starts With Master Data Management


5 Trends in Telecom that Rely on Transparency of Master Data


10 Data Management Trends in Financial Services


Seasonal Marketing Campaigns: What Is It and Why Is It Important?


What Is a Data Fabric and Why Do You Need It?


Transparent Product Information in Pharmaceutical Manufacturing


How to Improve Back-End Systems Using Master Data Management


8 Benefits of Transparent Product Information for Medical Devices


How Retailers Can Increase Online Sales in 2023


Master Data Management (MDM) & Big Data


Key Benefits of Knowing Your Customers


Women in Master Data: Kelly Amavisca, Ferguson


Customer Data in Corporate Banking Reveal New Opportunities


How to Analyze Customer Data With Customer Master Data Management


How to Improve Your 2023 Black Friday Sales in 5 Steps


4 Ways Product Information Management (PIM) Improves the Customer Experience


How to Estimate the ROI of Your Customer Data


Women in Master Data: Rebecca Chamberlain, M&S


How to Personalise Insurance Solutions with MDM


How to Democratize Your Data


How to Get Buy-In for a Master Data Management Solution


How CPG Brands Manage the Impact of Covid-19 in a Post-Pandemic World


5 Steps to Improve Your Data Syndication


Marketing Data Quality: Why Is It Important and How to Get Started


Panic Buying: Navigating Long-term Implications and Uncertainty


Women in Master Data: Ditte Brix, IMPACT


Get More Value From Your CRM With Customer Master Data Management


Women in Master Data: Nagashree Devadas, Stibo Systems


How to Create Direct-to-Consumer (D2C) Success for CPG Brands


Women in Master Data: Anna Schéle, Ahlsell


Women in Master Data: Morgan Lawrence, Infoverity


Women in Master Data: Sara Friberg, Acando (Part of CGI)


Improving Product Setup Processes Enhances Superior Experiences


How to Improve Your Product's Time to Market With PDX Syndication


8 Tips For Pricing Automation In The Aftermarket


How to Drive Innovation With Master Data Management


Discover PDX Syndication to Launch New Products with Speed


How to Benefit from Product Data Management


What is a Product Backlog and How to Avoid It


How to Get Rid of Customer Duplicates


4 Types of IT Systems That Should Be Sunsetted


How to Use Customer Data Modeling


How to Reduce Time-to-Market with Master Data Management


How to Start Taking Advantage of Your Data


6 Signs You Have a Potential GDPR Problem


GDPR: The DOs and DON’Ts of Personal Data


How Master Data Management Supports Data Security


Frequently Asked Questions (FAQ) About the GDPR


Understanding the Role of a Chief Data Officer


3 Steps: How to Plan, Execute and Evaluate Any IoT Initiative


How to Benefit From Customer-Centric Data Management


3 Ways to Faster Innovation with Multidomain Master Data Management


Product Information Management Trends to Consider


4 Major GDPR Challenges and How to Solve Them


How to Prepare for GDPR in Five Steps


How Data Can Help Fight Counterfeit Pharmaceuticals


Create the Best Customer Experience with a Customer Data Platform