The General Data Protection Regulation (GDPR) is set to go into effect on May 25, 2018, and yet many companies are still wondering if GDPR applies to them. The short answer is that it probably does. The GDPR requirements are incredibly broad, impacting any organization that stores data on Europeans. This includes the bed and breakfast which just received a reservation from a European, a financial services company with international customers, big-box retailers, and manufacturing firms with a global client base. Each must adhere to the GDPR requirements or face heavy penalties.
GDPR is not your typical compliance package. Sure, it includes many of the requirements of other large regulations such as HIPAA, but it also contains items that are important mainstays of European privacy. This offers companies a chance, not only to become compliant but to address the desires of the European customer base. Companies that embrace the European view of privacy can establish a greater degree of trust with a valuable customer base and begin to build the trust and brand loyalty that leads to longstanding customer loyalty and evangelism.
So what does this European view of privacy look like? It is comprised of consent, the right to erasure, and the right to data portability.
GDPR mandates that companies obtain consent from individuals before storing their information. Consent must be specifically for how the data will be used. Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use. Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed. This report must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.
Right to erasure
The right to erasure, also known as the right to be forgotten, requires that companies remove the data they have on a person if requested to by the individual. Customers want to be able to utilize services and understand that those services may require them to divulge personal information. However, once they have received service, they desire the ability to have their data removed out of a concern that the data could later be used for other purposes or lost in a data breach. The right to erasure gives Europeans more control over how and when their data is used.
Right to data portability
Under GDPR, individuals have the right to data portability. This allows customers to move between vendors without the risk of a vendor holding data hostage. Companies must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.
GDPR is coming fast. Are you prepare for the changes? You might be closer than you think. Many large companies have been working on GDPR compliance for some time now, and they already offer mature product offerings that can help you become compliant efficiently and cost-effectively. The cloud, in particular, provides excellent flexibility and scalability to meet varying company needs with technologies that have already been designed to GDPR’s requirements.