It’s a tough gig. And the fact that the European Union Data Protection Regulation (to give it its full name), or EUGDPR (to give it its catchy short-name) is so obviously untarnished by the handiwork of marketeers, does not help.

So as Lead BA on my company’s GDPR readiness programme for the last 6 months, I’ve had the unenviable privilege of trying to make EU data protection legislation interesting and engaging to salespeople, warehouse operatives, computer programmers and accountants, so that they will tell me what personal data they hold, where it comes from, what it’s used for, who can access it, and where it’s kept.

This project is not generating a great deal of envy from my BA colleagues, I can tell you.

But tempted though I was to palm this off onto one of my new recruits, I thought I’d Do The Right Thing and Take One for the Team. So I set about reading the legislation and putting a briefing pack together to start engaging the business though a series of presentations.

Still finding my feet at this point, and conscious of the potential for frosty receptions and tumbleweed moments, the presentations have generally started with a sardonic introduction, along the lines of:

“I’m sure you were as enthralled to get an invite to an EUGDPR briefing as I was to be asked to put together 57 slides to explain it to you. I’m only joking of course – there are only 38 slides. But it’s probably fair to say that the content is a little on the dry side. Which, of course, it precisely how we need to keep it. Because when this sort of thing gets interesting, this is what it looks like. (Cue a slide of horror headlines of companies being hit with massive fines). We don’t want that, so our job is to keep this as boring as possible – and here’s how we’re going to do it”

Although I have been asked to rephrase ‘the right to erasure’ as ‘the right to be forgotten’ because one particular director couldn’t get the image of Andy Bell and Vince Clarke from the popular 90s musical duo from his mind, or indeed the resulting smirk from his face, to be fair, this approach has worked reasonably well so far.

Then again, no-one in the audiences has really had to do anything besides receiving a briefing – yet. And it’s possible that a warmer-than-expected reception was principally due to the fact that the further through it I was, the closer the end of it was getting.

When I put the slide-deck together, I hadn’t actually realised that the right to erasure and the right to be forgotten aren’t actually the same thing – but that’s by no means the most significant penny to have dropped when I recently took a course to qualify as a Data Protection Officer.

The truth is, concentrating on the fines is coming at the topic from the wrong angle – and misses the point of GDPR completely. The secret is this: it’s not about you as a professional and your role in the company – it’s about you as a person.

Because as a professional, it’s EU legislation, compliance, and an unappetising pile of non-value-adding administrative activity that everybody needs to take care of in order to avoid massive fines. There’s not a great deal for our marketeers to work with there – and even Simon Sinek might have trouble picking the bones out of that one.

But as a person, it’s about privacy. Your privacy. How comfortable you feel that the answers to the security questions that grant access to your accounts, your medical records, photos of your newborn child, the details of where you spend your money (and what on), who you associate with, your success in relationships, and where you go at any given second on any given day might be sat in a dataset of connected items in a US (or Russian…or North Korean) server farm. You, whether that’s as a customer, an employee or a contractor.

How happy are you at the prospect of an immensely powerful supercomputer consuming this information and making calculations that configure your life chances and serve them back up to you in the form of – say – a mortgage decision or a job offer?

The concept of private personal information is (obviously) not a recent phenomenon. Even our medieval forebears had qualms about the village medic being indiscreet with the finer details of their digestive difficulties – and that’s where the first privacy policies emerged in the form of professional codes of conduct. The invention of the Kodak camera created new privacy concerns as people started to see their images being published without editorial consent, and more recently the ubiquity of the camera-phone (and social media to publish it’s outputs on) has amplified this effect to the extent that many teenage students daren’t even drink alcohol for fear of uncompromising images being permanently etched into eternity on the Internet. Daren’t. Even. Drink. Alcohol. Can you imagine?!

But to a greater or lesser extent, we’re still in thrall to our smartphones – and use them to post unflattering pictures from the Christmas party when we’re a little the worse for wear, reactionary comments about current affairs on social media when the red mist descends, and make spontaneous online purchases on a Saturday night after a couple of glasses of wine. We love the convenience of being able to say “Hey Siri”, yet don’t often think about how our ‘black mirrors’ are able to establish that we said it. (Clue: they’re listening to us).

We’re delighted when the customer service agent knows our name without us having to rifle through shoeboxes full of bills to fish out our customer number, when our smartphone tells us we’re about 38 minutes away from the office under current traffic conditions, and when our newsfeed displays discounts on products we were literally only just talking about, just the other day.

Yet our inboxes are full of unsolicited marketing emails and our call histories full of unsolicited accident claims calls. When 96.8% of all the emails in your inbox are marketing emails, it begs an existential question – does it even qualify as a personal email account or has it now been repurposed entirely as a repository of tailored ads?

And now, more than ever before, our entire identities vulnerable to theft in ways we can barely even imagine.

If you’re a fraudster, a card number from an online purchase combined with a date of birth and a pet’s name from Facebook, and an address and postcode from the Post Office Address File, and you’d have a pretty good chance of hacking someone’s bank account.

But it’s not just the risk of nefarious activity we need to be wary of.

Big Data runs an eye-watering proportion of your life, largely invisibly, and certainly outside of any recognised structure of accountability. There are categories of personal data around today that simply didn’t exist when the the Data Protection Act came into effect (in 1998).

And there are even academics who believe that if this is left unchecked, we could be inadvertently accelerating towards a system of algorithmic governance that has the potential to make the law, government and democracy obsolete, and with it any human rights we currently enjoy, such as paid holidays. Scary stuff.

GDPR is about redressing the balance – about putting control of your private personal data back into your hands. It’s about rolling back the increasingly technocratic system of ‘managed outcomes’ concerned only with predicting and mitigating risk to financial institutions; and backfilling it with democracy – power to the people in the truest sense of the phrase.

It’s sobering to think that after 40 years of bingeing on increasingly detailed and available forms of personal data, corporations often know us better than we know ourselves.

But GDPR means they will now need to go on a strict data diet, or suffer stiff financial penalties. Do they really need that extra helping of postcodes? That side-order of dates of birth? That starter-portion of GPS coordinates? Or recordings of your private conversations for dessert?

From May, if they do, they’ll have to prove it, tell you what they have, give you access to it, and articulate exactly what they use it for alongside their legal basis for doing so. And for most of this, they’ll need your freely-given consent to continue.

That is, if you ask them about it.

The idea is that by enabling people to exercise their rights to privacy under the Universal Declaration of Human Rights, they will – and it will create an administrative burden for organisations which in turn will encourage them to slim down what they capture until it’s the minimum they actually need – and nothing else.

If organisations start receiving large numbers of Subject Access Requests under the right to privacy, the right to be informed, the right to object, the right not to be subjected to automated decision-making, and the right to erasure, capturing ever-more intimate forms of personal data will cease to be worth the effort, the risk or the cost.

Instead, they will need to anonymise, or ‘pseudonymise’ your data so that it is not possible – or very difficult – for someone to identify you from it.

And therein lies a wealth of opportunity for the business analyst, because it means organisations will have to become very deliberate about how they deliver change.

One of my BA bugbears is use of the phrase “requirements gathering”, which suggests that business requirements are strewn on the grass like conkers in autumn, and all a BA has to do is nip out and gather them in a wicker basket. I much prefer the term ‘requirements elicitation’, because that, to me, is much more reflective of the process of engaging stakeholders, understanding their business drivers and how their ways of working need to change to address them, challenging their perceptions and ’eliciting’ what they actually need, rather than simply writing down what they ask for.

This is business analysis in the literal sense of the phrase, and a BA often has to carve out the opportunity to do this on a project , usually in the face of resistance from impatient stakeholders who see BA techniques as unnecessary bureaucracy.

But GDPR means companies will have to map their data flows, which means mapping the business processes that acquire, process and output personal data. They will have to assess each processing activity for its legal basis, and design processes for fulfilling the right to be informed, the right to access, the right to object, the right to erasure and the biggie – the right not to be subjected to automated decisions making – all within the new stricter timescales.

Yet as every BA knows, if they commit to doing this properly, there are many business benefits associated with going through this process.

Firstly, eliciting business requirements by understanding the detail of business processes is the only reliable way of ensuring the completeness, consistency, accuracy and relevance of the resulting requirements. Better quality requirements mean better quality solutions.

Furthermore it will create the collateral to enable the business to achieve potentially dramatic improvements in efficiency through business process standardisation. If we think of business processes as simply a way of ‘drawing work’, for managers in the business, it means being able to work ‘on’ their business areas rather than ‘in’ them. That will enable better strategic management for the long-term health of the organisation.

It will also improve organisational decision-making through the governance structures that will be needed to ensure GDPR compliance, and will mean that no project-management shortcuts can be taken without also involving huge risk – a risk you can now put a reliable number on.

Any company wishing to compete on the basis of the enhanced customer experiences they provide will need to demonstrate, first and foremost, that they can be trusted with the personal data needed to enable them. And that will require a level of coherence between their communication channels that will require systems thinking to achieve.

So as we enter into the new year, taken as an opportunity rather than purely as the mitigation of a threat, GDPR can be a catalyst for a monumental spring clean of business activity. In many ways, it’s forcing companies to mature to the point of being responsible with what they know about us – and crucially, being able to demonstrate that.

And it’s not just the May 25th deadline they need to worry about – that’s just the beginning. As the ICO starts to exercise its ability to impose hefty fines  – 40 times what they were under the Data Protection Act – its resources will grow, and the imperative for organisations to demonstrate the coherence of their business models will grow accordingly.

That’s a massive incentive for companies to build robust scaffolding under their commercial growth, and operate is a more controlled and deliberate manner. And that in turn represents an awful lot of demand for the BA skill-set, which should keep us in analysis work for some time to come.