Skip to main content

GDPR Is Here: Is Your Organization Ready?

Michelle Boehm
  • Edited

The EU General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC on May 25, 2018. This will have significant impact on the global management and processing of protected data. Affected organizations can capitalize on GDPR compliance initiatives by using them to jumpstart larger data governance initiatives. This article will cover key GDPR compliance considerations and tactical supporting solutions offered by BackOffice Associates.

 

Affected Organizations

The GDPR will apply to all organizations who collect, store, and/or process personal data of subjects residing in the EU, regardless of the organization’s location. Personal data, as defined by GDPR, is considered any information used to identify a person, which can include:

  • Consumer insights and buying habits
  • Supplier, contractor, and employee information
  • Prospect information for sales opportunities
  • Medical records, genetic information, and biometric data
  • Voice recordings (think “Alexa”, “OK Google”, and “Hey Siri”) and live streaming data
  • Photographs and posts on social network sites
  • Criminal history and drug screening records
  • Online identifiers - provided by devices, applications, tools, IP address, cookies, and/or RFID’s.

 

Data Subject Rights

A major aim of the new regulation is to provide data subjects added protections in an ever increasing data-driven world. A full list of data subject rights can be observed in the GDPR full official text. Some of the more significant protections include:

  1. Right of Access (Art. 15) Subjects have the right to obtain confirmation as to whether their personal data is being processed, and if so, the purposes of processing, categories of data concerned, recipients of the data, where the data is being stored, and for how long the data will be stored. The subject may also request a copy of the data being stored in electronic format at no charge (for first time requests).
  2. Right to Rectification (Art. 16) Subjects have the right to rectify inaccurate personal data concerning him or her without undue delay.
  3. Right to Erasure (“Right to be Forgotten”) (Art. 17) Subjects have the right to request deletion of their personal data and the controller shall have the obligation to delete such data without undue delay when specific conditions are met.
  4. Right to Restriction of Processing (Art. 18) Subject may restrict processing of their personal data where certain conditions are met.
  5. Right to Data Portability (Art. 20) Subjects have the right to receive personal data concerning them in a structured, machine-readable format, and have the right to transmit that data to another controller.
  6. Data Protection by Design & by Default (Art. 25) Controller shall implement appropriate technical and organizational measures that are designed to implement data-protection principles.
  7. Personal Data Breach Notification (Art. 33 & 34) Controllers must notify the supervisory authority and the data subject of a breach without undue delay and where feasible, not later than 72 hours after having become aware of it. Notification must meet specific requirements and may not be required if certain conditions are met.

 

Penalties

Not taking necessary precautions to ensure regulatory compliance could be costly. Organizations in breach of GDPR will be subject to a two-tiered sanctions regime. The lesser tier can be fined up to €10m or 2% of global annual turnover, whichever is greater. This includes offenses such as:

  • Mismanagement of data subject records
  • Failure to notify data subject about a breach

The upper tier can be fined up to €20m or 4% of global annual turnover, whichever is greater. It covers offenses such as:

  • Failure to obtain sufficient consent to process data
  • Violation of Privacy by Design concepts

 

BackOffice Solutions for GDPR Compliance

BackOffice offers software and cloud-based solutions that support GDPR initiatives. Our Data Quality offering (dspMonitor + dspCompose) enables businesses to:

  • Document and enforce data policies. Define rules for managing data of subjects protected by GDPR. Discover deviations from defined rules and operational insights through custom and prepackaged reporting.
  • Efficiently and economically implement data quality remediation.Quickly remediate GDPR policy violations across multiple systems through a web-based interface (or spreadsheets) without requiring technical knowledge of underlying systems.
  • Monitor data objects across virtually all systems.View up-to-the-minute status of all data objects via customizable dashboards. Assign responsibility for GDPR data quality across a team of data stewards who can initiate remediation workflows when policy violations surface.

BackOffice Information Governance solutions, including dspConduct and the Information Governance Cloud (IGC) can be leveraged to enforce Data Subject Rights such as the Right to be Erasure and the Right to Data Portability. Our customers realize benefits such as:

  • Simplified Compliance Processes. Consolidate data-driven tasks into processes that enforce business rules for managing GDPR protected data. Integrate data from any source, including the cloud, into compliance processes.
  • Trusted, Assured, & Timely Data. Define & monitor compliance processes against SLA’s. Enforce quality checks at the point of data entry through customizable business rules. Upload only business ready data to production systems through an optional auditing workflow that reviews and approves changes to data.
  • Agile Operations. Monitor process improvement opportunities through customizable dashboards. Gauge the impact of changes to current processes and the business lineage of all changes through predictive analytics.

 

 Final Thoughts

With the GDPR enforcement date approaching quickly, it is imperative that organizations implement compliance strategies to avoid harsh penalties. Organizations that don’t already have a data governance program in place should consider this an opportunistic time to initiate one. Compliance will not only require taking inventory of all stored data, but managing rules for incoming data and the future of all data processing. For organizations in the big data game, this will require a major undertaking.

 

[Credits]

GDPR Full Official Text: https://gdpr-info.eu/

Image Source: https://pixabay.com/photo-2903156/

0

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post