The General Data Protection Regulation (GDPR) is the new EU data privacy regulation that comes into force on May 25, 2018. GDPR requires organizations to manage customer data more securely, and to provide some fundamental data rights to EU citizens regarding access to data about them, as well as portability of their data.
Some of the fundamental rights that the regulation covers include:
- Consent to the processing of data
- Consent on data utilization and the right to withdraw consent at any time
- Erasure (to be forgotten where appropriate)
- Rapid notification of a breach
- Rectification of inaccurate personal data concerning the data subject
- Data portability of to other providers
- A copy of processed personal data upon request
There are multiple other dimensions to the regulation that are not detailed in this article, which also significantly impact how organizations manage data pertaining to their customers, consumers, partners, staff, and other “data subjects” (individuals).
While this regulation was created in the EU and was intended to protect the data rights of EU citizens, there are three reasons you should be thinking about the impact GDPR will have on the way you manage customer data.
Reason 1: Territorial Scope
As defined in Article 3, Territorial Scope, GDPR applies not only to organizations located in the EU, but also to organizations not located in the EU that offer free or paid goods or services to EU citizens, or monitor the behavior of EU citizens. The second type of organization includes many right here in North America, and perhaps even yours.
Like most regulations, GDPR impacts some industries more than others. An excellent example of an industry that is profoundly affected is the hospitality industry.
As EU citizens visit our hotels, theme parks, casinos, beach resorts and so on, these individuals (or “data subjects” as referred to by the regulation) may want to exercise their “EU personal data rights” at any time. They may inquire about the use of their data, or they may request “to be forgotten” after their vacation. For whatever reason, the requests must be fulfilled in accordance with this regulation. Therefore, all organizations must have the capability to fulfill these and all other requirements for GDPR compliance.
Reason 2: Financial and Reputational Liability
There is a great deal at stake from both a financial and a reputational standpoint. Non-compliant organizations could be subject to fines of up to 20,000,000 EUR ($25 million), or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The journey to compliance is no small feat considering the quantity, variety and complexity of data managed by organizations. Customer data continues to proliferate even as these organizations contemplate the impact on their operations, or their options for compliance. Data proliferation is a huge challenge because customer data is often extracted from source systems before being transformed, enriched and copied to other systems for subsequent processing. Those other systems are often outside of formal governance processes, and visibility into the use of the data diminishes quickly, often until the organization has no visibility into it at all.
According to a PwC survey released in 2017, about 77 percent of the companies surveyed planned to allocate $1 million or more on GDPR readiness and compliance efforts, with 68 percent stating that they would invest between $1 million and $10 million, and 9 percent expected to spend over $10 million to address GDPR obligations.
Reason 3: Business Opportunity
At Sirius, we are uniquely positioned to help our clients navigate through the data management challenges that GDPR imposes.
Using the strong partnerships we have with some of the leading data management solution providers like Informatica, we can implement solutions that can help organizations automate discovery of relevant customer data across any number of databases, business applications, big data, and cloud data stores—not just one time, but on a continual basis as required.
These solutions are capable of enabling the right to be forgotten, and can also manage consented data and non-consented data while still maintaining the transactional integrity of the data across the organization.
For further discussion and information on GDPR, data management, data privacy, data security and other related topics, please contact me directly. You can also visit siriuscom.com/data for more information about our offerings and specialties.