EU General Data Protection Regulation: The Countdown Begins
Are you ready? EIM is the first step.
On May 25, 2016 the European Parliament entered into force the General Data Protection Regulation or GDPR. The Regulation will have a significant impact on organizations in all industry sectors, bringing with it both challenges for compliance as well as opportunities to achieve competitive advantage.
- GDPR & EIM
What is the GDPR?
The GDPR is the new sweeping European Union (EU) legislation that modernizes and reforms the laws that address the handling of personal data. It replaces the European Data Protection Directive (95/46/EC) which was implemented inconsistently across Europe and did not have legislative authority.
- The GDPR applies to all 28 EU member states and has the full force of the law.
- It applies to EU citizens’ personal data, regardless of where it is collected, stored, or processed – whether inside or outside of the EU.
- If your company collects and stores the personal data of EU citizens, the GDPR is relevant to your organization, even if you don’t have a formal presence in the EU zone.
- There is a transition period of two years for organizations to implement compliant processes. The deadline is May 2018.
- The GDPR does not apply to the processing of personal data as it pertains to matters of national security or "purely personal or household activity."
|Stricter consent rules||The GDPR requires that individuals give unambiguous, informed consent before their data may be processed. Consent cannot be assumed from inaction.|
|Enhanced rights for data subjects||Individuals have more rights under the GDPR including rights to: have their personal data erased, have inaccurate data corrected, be removed from digital marketing, and request personal data be ported to another service provider.|
|Data breach notification||Organizations must notify those whose data has been breached, within 72 hours of the breach.|
|Increased accountability measures||There are a number of new governance requirements for subject organizations, including conducting privacy impact assessments and appointing a data protection officer.|
|Substantial fines||Maximum penalties are €20 million or 4% of annual global revenue, whichever is greater.|
Data Minimization vs Data Maximization
Today, most businesses and their marketing teams follow the practice of data maximization, that is, collecting as much data about consumers as possible, sometimes before they know exactly what, how, or when that data will be used. In addition they will extract as much value out of this data as they can, including at times, reusing it for various purposes or even selling it to another party. One of the biggest tenets of the GDPR is the principle of data minimization, that is, that firms collect only the smallest amount of personal data for the shortest period of time possible, and delete it as quickly as possible after its specific purpose is completed.
Organizations need to act now to ensure that they are ready to comply with the new Regulation when enforcement begins May 2018.
An important first step will be for organizations to have clarity on how they manage personal information, including:
- What personal data they process
- Where it is stored across the organization
- Who has access to it
- What consent has been provided and where it is documented
- Where it is transferred from and to (including to third parties and cross-border)
- How it is secured throughout its lifecycle
- If there are processes in place to dispose of personal data, as per policy
To Support GDPR Requirements
- Ensure an appropriate level of security, including confidentiality
- Protect personal information from unauthorized access
- Secure data in transit
- Provide right to erasure
- Provide right to rectification
- Provide right to data portability
- Adhere to data minimization
- Enforce records management
- Ensure data protection by design and default
How OpenText Can Help
- OpenText Content Suite delivers transparent, automated, enterprise-wide governance to produce industry-leading security, privacy and compliance.
- OpenText Records Management supports data minimization by streamlining and automating retention and disposition processes.
- OpenText Business Network utilizes important security protocols such as encryption in transit and at rest; information passed through the OpenText Cloud fax network and OpenText Business Network Cloud network is protected end-to-end.
- OpenText Discovery solutions offer pattern-identification tools to automatically identify sensitive personally identifiable information ("PII") in discrete data sets which can be mass-redacted automatically or flagged for eyes-on review and manual redaction.
- OpenText Cloud Services offer comprehensive security and compliance capabilities and are qualified data processors. We are constantly interfacing with customers, regulatory bodies, and standards boards to advance compliance and serve customers’ needs.
- OpenText Product Security Assurance Program (PSAP) ensures that all our products, solutions, and services are designed, developed, and maintained with security in mind i.e. security by design.