General Data Protection Regulation (GDPR) (https://www.eugdpr.org/eugdpr.org.html) is a new legislation kicking in from the 25th of May 2018 which makes it mandatory for organisations doing business with EU citizens to provide those citizens with an ability to request for deletion of their personal data. GDPR was approved by the EU Parliament on the 14th of April 2016.
The regulation aims to address the data privacy concerns of customers and gives control back to the owners of the personal data for any kind of information that can lead to an individual, including addresses and biometrics. Owners of data will have a right of access, right to data portability, right to correct the data, right to be forgotten and right to not be subjected to automated profiling.
GDPR impacts governance and privacy impact statements. Consumers need to be given specific and informed consent and the existing privacy statements embedded in implicit Terms and Conditions statements will need a change.
Non-Compliance of GDPR can result in heavy penalties of up to 20 million euros or 4% of annual worldwide turnover, whichever is larger. Companies can also be fined 2% for not having their records in order. There will be a 72-hour window where companies will need to notify regulators of breaches where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
GDPR regulations force companies with over 250 employees to appoint a Data Protection Officer (DPO). The DPO can be an internal employee or an outside party with sufficient knowledge in this area.
This strategic business issue will need a technical solution to address the problem. The level of GDPR awareness is particularly low amongst businesses in Asia Pacific. The impact of GDPR will hit Australian shores as well, especially those businesses which deal with EU customers.
Companies will need to implement a system or programme that allows them to achieve GDPR compliance to save themselves from class actions and criminal prosecutions.
One of the solutions is to offer self service capability to customers to check their personal details on any company’s website. Organisations would then need to then remove these individuals from their databases and CRM systems, if asked to do so. This will also have an impact on marketing lists purchased by companies from external sources. Organisations will need to build an audit trail of who has access to their systems and constantly update their AIM policy, whilst keeping a record of data activities and demonstrate GDPR compliance.
In Australia, the Privacy Amendment (Notifiable Data Breaches) Act comes into force in February 2018 and mandates that customers be informed whenever there is a data breach or if their privacy is breached. While this regulation is not as stringent as GDPR, it is highly likely that other countries including Australia will adopt similar GDPR inspired regulations.
We at Tridant believe Big Data has a role to play in driving up GDPR compliance. Tridant can help organisations in their journey to achieve GDRP compliance by carrying out privacy impact assessments (PIAs), reviewing and mapping data flows.
Tridant can help build confidence, availability and integrity of transactional systems to make sure they are geared towards ensuring GDPR compliance. Tridant can also help organisations map analytics capabilities to GDPR reporting needs and advise on data obfuscation and data encryption needs.
To discuss further technical solution approaches, please email firstname.lastname@example.org and one of our team members will be in touch with you soon.