What You Need to Know About the GDPR
We’re now three months past the deadline for compliance with the General Data Protection Regulation (GDPR), and many companies are still scrambling to implement the right processes and technologies to protect against GDPR violations. Experts from Synechron detail a simple, four-step approach to ensure compliance.
with co-author Philip Khan
Does this sound familiar?
“I read on Facebook that you keep tons of data which violates my privacy and you are now obliged to give it to me. Can I have it?”
“According to that new privacy regulation, I have the right to be forgotten. So can you please delete everything?”
“I heard that you now need to give my data to others, that is not what I want!”
If you have heard anything resembling these requests in the past months, then you know that your clients are starting to become aware of the GDPR legislation. Unfortunately, a lot of semi-truths are being told, and your average customer is not as informed as they could be. So what are their rights? And how should businesses get organized to become GDPR-compliant?
If you have not heard any of these remarks before, brace yourself for impact; this is no simple matter, and the May 2018 deadline has come and gone. Worried? Don’t be. This article will outline how European-based businesses and those with clients in these regions that are affected by the regulation can best proceed with their GDPR strategies.
Sorting Out the Facts: What Exactly is GDPR?
The General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC (DPD) and aims to harmonise data privacy law in Europe. GDPR empowers and protects all EU citizens’ data privacy, and it applies to any organisation processing personal data operating within the EU, as well as any organisation located outside the EU that offer services or goods to citizens within the EU. The main rights addressed under GDPR are the right of data portability, the right to be forgotten and the right to access and rectification. Instead of requesting erasure, a data subject can also ask for a restriction on the processing of their personal data.
The GDPR expands on rights already existing under the DPD. This implies additional obligations for data controllers, which will have a significant impact on data controllers and processors, including added responsibilities in data protection and increased legal liability in the case of a breach, with fines up to €20 million or 4 percent of total annual turnover. The GDPR also implies reassessed principles, including an accountability principle, which requires controllers to be able to demonstrate compliance with all GDPR principles. Operationally, organizations can be obliged to appoint a Data Protection Officer (DPO) to comply with GDPR data requirements. Furthermore, your organization can be required to carry out Data Protection Impact Assessments (DPIAs) in cases of potentially high-risk processing activities.
Forming a Strategic Approach to the GDPR
So, now that you understand the nuances and implications of the legislation, how do you go about implementing the new requirements into your business? To best assess a strategy, firms must focus on answering the following questions: how do you keep insight into the data? Where is the data located, and who has access to it? How do you prevent a data leak from happening? And did you already think about the following?
- Will your systems be impacted when a client requests personal data to be sent to competitors? Note the overlap with PSD2.
- Are you prepared for stricter recordkeeping obligations? Are you able to dispose of data after the maximum retention period?
- Do you transfer data to third parties and/or third countries? On which basis is the company sharing data with group entities?
- Can you maintain records of processing activities, including the purposes of processes? Where will you store these records?
Synechron has an easily deployable approach to analysing, designing and implementing a GDPR-proof solution. We propose a four-step approach:
As with any new regulatory obligation, it is easy for businesses to look at it as more of a regulatory burden. The lesson we’ve learned by dealing with several regulations is that it can better be viewed as an opportunity instead. You know that your client data is scattered across the organization in numerous departments, systems and storages within your business. You know the same client exists multiple times in your organization, depending on the number of divisions they interact with. You know the frustration and issues this leads to for both the institution and the customer when the data cannot be matched across the organization. GDPR can be the push to better streamline these processes and provide the framework for data organization. To begin, businesses should:
- Scan through all systems, processes and data storage looking for client data
- Identify privacy-related data fields
- Ensure you have this overview readily available for operational processing and reporting
As a first step to governing your client data as one company-wide golden source, your business can turn the regulatory “burden” into a viable business case for strategic advantage in a market where customer intimacy is becoming more important each day. Emerging innovative technologies, such as artificial intelligence and blockchain, can be used to enhance operational processes and assist with setting up the larger strategy when it comes to getting the most out of an organization’s data.
While applying technology to meet regulatory compliance isn’t exactly new, the application of these technologies to streamline data processes can be beneficial in several ways. One can think of regulatory solutions that can be applied to multiple use cases or business lines, dealing with data that not only helps comply with legislation like the GDPR, but also helps the business fully utilize the data as an asset, and perhaps use it for predictive modelling down the line using historical data. By leveraging the opportunity of regulatory necessity with innovative solutions, business operations can reap sizable benefits.