We recently attended SURG in Stockholm, Sweden and part of the day was dedicated to covering the General Data Protection Regulation (GDPR) and its implications for the industry when it goes into effect. The GDPR was approved by the EU Parliament in April 2016, and following a 2 year post-adoption grace-period will start to be fully enforceable May 25th 2018, meaning organizations that are in non-compliance at that time will face heavy fines.
What is GDPR?
In short the goal with GDPR is that there is a common process of how to protect data in the EU. “The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” (www.eugdpr.org)
Who does it affect?
This is a EU legislation so it is easy to assume it only applies to organizations within the EU, however while primarily organizations within the EU are affected, it is important to note that one of the biggest changes this regulation brings is that it impacts organizations outside the EU as well. The GDPR will also apply to organizations that “located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” (www.eugdpr.org)
For customers this means companies within the EU are obliged to provide information on what data is stored. If they want to know what data they have on them, the company will have to provide them with this information on request. If they do not, they will be fined heavily.
Other key changes to be aware of
With any OT Exstream/StreamServe implementation it deals with customer data, and with this new legislation in effect it is urgent that companies understand how to comply. The road ahead is unpaved, as no cases exist yet on what would happen for a company that doesn’t comply or what exactly is required of the companies. There are heavy fines and/or the company might see its’ solution shutdown completely.
There is a tiered approach to fines, and the maximum fine that can be imposed is up to 4% of annual global turnover or €20 Million (whichever is greater).
Right of access
As mentioned earlier, the GDPR outlines the right for a data subject to obtain whether or not there is any personal data concerning them being processed, and they can request a copy of such data free of charge. This is a major change and introduces a new level of transparency.
Right to be forgotten
Just as a data subject can request what is on file regarding their personal data, they also have the right to be forgotten – erased.
Data breaches concerning personal data must be reported within 72hrs, and companies must notify their customers, the controllers, “without undue delay” of first becoming aware of the breach.
Consent must clearly be given, and practices that companies might have previously gotten away with will no longer be sufficient. “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.“
Adhering to the GDPR regulation and ensuring compliance will be important for any organization doing business with personal data connected to the EU, but the good news is a lot of companies that have already spent time and effort to creating a better Customer Experience, probably have procedures in place that comply with many of the requirements already or is very close to.
You can read more about GDPR here and how it might impact your organization or you as an individual: https://www.eugdpr.org