Demystifying the General Data Protection Regulation (GDPR)
The European Union’s regulation for the protection of personal data may seem daunting: it applies to European companies, but that’s not all. The GDPR reaches beyond EU borders. Yet if you think about it, the regulation makes perfect sense in today’s world.
Much-needed legislation against a backdrop of digital and data transformation
In North America, legislation concerning personal information already exists, like the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and the data breach notification laws in the various U.S. states.
Knowing that more than 2.5 quintillion bytes of data are produced every day around the world (Accenture), we can understand the urgency for regulation. Although it may seem overwhelming to businesses, it appears to make sense, especially in terms of customer service. In order for companies to continue to ensure good customer relationships, it is important for them to be more transparent about their access to and management of data. Users have a say, and the repercussions on companies are not totally negative—quite the contrary.
So this is the ideal time for companies to establish a data management policy. It would both ensure compliance with the new regulation and improve customer relationships, while optimizing the use of data.
The GDPR is broad-sweeping and extends beyond the European Union
The legislation is mainly aimed at organizations on European soil—but not exclusively. Regardless of geographic location, all individuals whose personal information is processed or generated by the European government are entitled to this protection. Furthermore, any non-European organizations providing a service to European customers must abide by the legislation.
That means the regulation is not only an EU issue, since it affects a tremendous number of companies, whether they be in Europe or elsewhere. The regulation paves the way for nations outside the EU as well!
Five criteria to focus on for the GDPR
The General Data Protection Regulation is a set of rules for the protection of consumers’ personal information and the transparency revolving around that information. It comes into force on May 25, 2018 and applies directly to each member state of the European Union.
In order to adhere to the GDPR, companies should take a close look at the 5 criteria below:
- Easy access to personal information: All individuals have the right to obtain personal data held about them. They must be able to consult their data and receive it in an accessible, machine-readable format. Under what is called “the right to be forgotten,” they can request that their information be corrected or removed.
- Clear consent via a transparent process: Companies must now obtain explicit consent from consumers to collect data about them. Previously, implicit consent was enough, through opt-in options, e.g. checking a box. Companies must also manage requests for removal, keep records of their handling of data and provide clear, concise and informative information to the consumers involved.
- Data protection by default and by design: Companies must integrate personal data protection into the development of their products, services and data processing systems. This requires no action on the part of the user and must be ensured by default.
- Notification of data breaches: Companies must respond quickly and inform the affected users as soon as possible if their data has been breached.
- Portability of personal data: Individuals have the right to request that their personal data be transmitted from one data controller to another, and an appropriate level of security must be ensured.
Non-compliance with this regulation could lead to significant financial penalties of up to 4% of a company’s annual rate of return. The goal is clearly to push all companies to put a framework in place for maximum privacy of personal information. This regulation will not only affect IT and technical departments but entire organizations, from the marketing department to the legal department.
Companies will have to introduce big changes to comply with this legislation. Although our software packages are regulation agnostic, they may help with your processes. In fact, our technology does not store any data but, acting as a middleware, it can easily help you work with the data, regardless of what system it’s in. Our software also allows you to automate your business processes and create dynamic, multichannel communications. Feel free to contact one of our advisors for further information.