To understand the principles behind GDPR, you need to consider that any data that you hold has been loaned to you by the owner, and they are in control of who has it and what they do with it. Consent must be freely given for the use of any personal data and the use for this must be made clear.

The subject (the person whose data you have stored) has specific rights with respect to their data. These include:

  • Access a copy of the information 
  • Object to use of data likely to cause distress 
  • Prevent processing for direct marketing 
  • Object to decisions being taken by automated means 
  • Have inaccurate personal data rectified, blocked or destroyed 
  • Claim compensation for damages caused by a breach

Technical measures

You should not underestimate the task of controlling personal data in line with the GDPR and appropriate database functions will be required by anyone with any volume of records. To implement compliance within a database system, the following functions will need to be reviewed and implemented where necessary:


The technical measures required to maintain compliance will include installing and maintaining security systems such as firewalls and regular software updates, and encryption of mobile devices and stored data.


To address the requirement of data erasure, whilst maintaining database integrity, can be addressed through tokenization of data. This is the process of substituting personal data with a 'token' such as a number or pseudonym to remove individual identifiers, allowing transactional data to remain while adhering to General Data Protection Regulations. This process must also ensure that the process of erasure cannot be undone.


A further technical requirement of GDPR is the right to portability. To comply, data must be made available in a manner that can be loaded into alternative systems using commonly available electronic formats. To meet this requirement, Open Standards should be used where they exist, and it is likely that this requirement will generate future open standard data interchange formats. Within this scope is not only the textual data but other files, documents and images.

What to do now:

  • Start with adding GDPR non-compliance to the risk register
  • Investigate the legal implications for your organisation
  • Assess the overall impact of GDPR on your business
  • Make sure your team is aware of the GDPR directive
  • Review and update privacy notices Create a GDPR compliant process for data access requests
  • Ensure you can erase personal data without damaging database integrity
  • Plan to encrypt all data stored on mobile/portable devices
  • Determine how portability requests will be handled

It's time to take action

It is imperative that businesses take steps to ensure they are ready for GDPR. Existing systems need to be evaluated to ensure that the regulations are met. Should you need to transition to new software to meet these demands, do consider that it can take between 9 and 18 months to re-platform following the selection of a provider.

OpusVL are also supporting a series of informative GDPR events. These are free, but spaces are limited. You can find out more by visiting

To find out how we can help, you can visit our main website or get in touch on 01788 298 450

Posted by Lauren Westley on 13/10/2016