Operational disruptions, damaged reputations, data theft, financial loss, and regulatory fines — headlines worldwide have covered every possible downfall of a growing number of successful cyber attacks. Thanks to the media, awareness of the importance of personal data and its value is opening up the eyes of executives, as well as their employees and customers.
The European Union is hoping that its General Data Protection Regulation (GDPR) will give businesses the practical guidance they need to tighten data security. Although the mandate will not come into effect until May 25, 2018, Benjamin Spies, IT lawyer and partner at SKW Schwarz, stated that the urgency for data protection is so high that businesses need to comply with the mandate sooner than later.
“There's such a strong focus on the GDPR right now that it’s very likely that private individuals want to make use of their rights before May 25, 2018. Businesses will be expected to have these rules already in place long before the enforcement date,” Spies said in the ASUG webcast, “Doing Business in Europe? General Data Protection Regulation (GDPR): What You Need to Know and Do.”
The GDPR Bill of Rights Customers Demand Long Before May 2018
For far too long, people have been giving up their personal information without thinking twice about the consequences. Every industry has significantly profited from this data by acquiring insights that were never accessible in the past and selling it to a variety of third parties at a premium. One piece of information can be handed over to countless organizations and people — without the consumer knowing who or what has their data and how it’s being used.
But this apathetic approach to data-sharing is changing after current data protections have been proven ineffective. As their privacy consciousness strengthens, consumers expect businesses to grant their fundamental rights to data security as defined by the GDPR.
During the ASUG webcast on the GDPR, Patric Dahse, CEO and founder of Natuvion Americas, outlined the consumers’ bill of individual rights that every business must now promise:
- The right to access: Businesses must be transparent in where data is acquired, stored, and distributed as well as how it is grouped together for aggregated analysis and reporting. Plus, they must be able to provide a copy of this information.
- The right to data portability: Data extraction should be streamlined, and the transfer of information to a third party should be automated. Consumers must able to receive their personal data in a structured, commonly used, and readable format and to share that information with another controller without restriction.
- The right to restrict processing: The controller should restrict processing when the consumer contests accuracy, objects to the sharing and use of the information for a legal reason, or requests to define how the data should be used.
- The right to rectification: Data inaccuracies and incompletions should be resolved without undue delay.
- The right to be forgotten: Consumers reserve the right to ask for the deletion of personal data, and the controller should oblige the request without undue delay. This rule is especially important when the information is no longer necessary in the exchange for product service or access, the data is unlawfully processed, or the consumer withdraws consent or objects to processing without any overriding, legitimate grounds for the business to dispute.
- The right to be informed: Consumers must be notified when personal data is transferred to another country or an international organization and of the appropriate safeguards in place to protect data breach, theft, and misappropriation.
In just a few months, GDPR supervisory authorities will begin to enforce these personal rights. Until then, it’s important that companies focus their limited IT resources on production landscapes. By leveraging technology, businesses can anonymize testing, quality assurance, and other nonproductive landscapes. When done properly, anonymization places the processing and storage of personal data outside the scope of the GDPR, which, in turn, expedites IT landscape compliance.
Complying with the GDPR is more than just avoiding crushing fines, adhering to more than 80 new requirements, or hiring a data protection officer. It’s also about reestablishing trust and accountability in the customer relationship. For this reason, executives must get started right away by understanding how the GDPR will impact their data operations; identifying gaps that would hinder compliance; and prioritizing actions to resolve issues within the IT architecture, data landscape, and business processes and best practices.
For more insights into data protection and the best way to deliver on the promises of the GDPR, watch the replay of “Doing Business in Europe? General Data Protection Regulation (GDPR): What You Need to Know and Do,” featuring Spies and Dahse.