On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) came into force, sending ripples across our connected digital world. Nearly every user of web-based services felt the impact in their email inbox with a stream of updated privacy policies and opt-in consent forms for the continued delivery of those services—in some cases services they didn’t even know they were receiving!
So, why did customers in Australia, the US, and every other global region receive these emails about an EU law? And what are the GDPR’s implications for businesses around the world?
The extra-territorial nature of the GDPR means that its impact extends far beyond the EU. Many organizations around the world have to comply with the new law because they do business in the EU, they have customers from the EU, or their services are accessible from the EU—and compliance isn’t easy. In many cases, the extensive consumer rights under the GDPR will require companies to fundamentally change how they handle data.
DOWNLOAD NOW: The Data Governance Effect
Enter the CCPA, the US Answer to GDPR
Typically, the world follows the US rather than the EU when it comes to technology, commercial, and legal trends. In the case of the GDPR, however, the old paradigm may be reversed. The consumer rights set out in the GDPR, particularly the “right to be forgotten” have gained a foothold in the consciousness of consumers and lawmakers across the world.
For example, in June 2018, the State of California passed sweeping new laws designed to protect consumer privacy online. Modelled in large part on the GDPR, the California Consumer Privacy Act (CCPA) of 2018 gives consumers more control over their personal information by forcing every business that operates in the state to disclose the information it collects about Californian consumers and the reasons for gathering sensitive personal data.
The law also requires each company to provide consumers with the ‘categories’ of third parties with which it has shared personal information. . In addition, the CCPA:
- grants consumers the right to demand that a company deletes their personal information
- gives consumers the right to opt out of the sale of their personal information and prohibits businesses from discriminating against those who opt out
- prevents the sale of data from children under 16 unless they “affirmatively authorize” the use of their data.
There’s No Going Back
The GDPR has fast become the de facto global standard for data protection with major companies across the UK, Asia Pacific and Americas choosing to comply with the legislation even though most of their customers are not covered under the law.
The CCPA will further drive home the need for companies to invest in enterprise data systems, customer data privacy, and governance.
At a time when Facebook’s Cambridge Analytica scandal and other high-profile data leaks have eroded consumer trust in business, more enlightened companies are looking beyond the compliance burden of GDPR and CCPA—and instead seeing it as an opportunity to gain a competitive advantage by re engaging with customers.
According to a Forrester Consulting survey, 34 percent of businesses expect increased customer loyalty due to their adoption of GDPR rules, 32 percent expect improved brand perception, and 30 percent expect more engaged customers.
GDPR Compliance: What You Need to Know
As the CCPA won’t come into effect into 2020, this article focusses on GDPR’s requirements and what they mean for data governance today.
While confusion still abounds, it is generally understood that the GDPR applies to organizations of all sizes, based anywhere in the world, if:
- the organization has an official presence in the EU, or
- the organization is located outside of the EU but has data processing activities related to the offer of goods or services to individuals in the EU, or monitors the behavior of individuals, where that behavior takes place in the EU.
Note that the GDPR covers individuals in the EU—not just EU citizens—and “processing” has a broad definition, and includes collecting or performing any operation on personal data, whether automated or manual.
The GDPR also has teeth, with fines of up to €20 million or 4 percent of a business’s global annual turnover for non-compliance.
To comply with the GDPR, your organization should:
- use extra safeguards for sensitive personal data, such as information on health, race or religion
- get consent from customers before using their data, with the ability for customers to easily opt out of further collection, use or direct marketing
- use plain language to tell customers (or employees) why you are processing their data, who receives it and other details
- ensure data is stored in a format which will facilitate the new rights of data access and portability
- have the ability to comply with the new “right to be forgotten” by deleting the personal information of customers
- have robust process in place to inform customers of notifiable data breaches
- keep detailed records, including the reasons for using data, and if data processing is regular, includes sensitive data, or is a threat to people’s rights and freedoms.
The new law has specific rules for organizations that transfer data outside the EU, process data for other businesses, collect data from children, or use profiling for legally binding agreements such as loans. Many organizations are required to appoint a data protection officer or carry out data protection impact assessments, depending on factors such as the type and amount of data collected.
The GDPR also encourages organizations to adopt what it calls “data protection by design” by building safeguards into their products and services from the earliest stages of development.
Making the changes needed to comply with these rules is a challenge, but you can take away much of the pain by adopting the right tools—such as data governance technologies.
The Compliance Challenge
Complying with all these rules is proving to be a challenge. Organizations had two years to prepare for the GDPR before it came into force, yet it appears that many are still falling short of compliance. “Pretty much everyone is breaking the law right now,” commented Thomas Baekdal, a prominent European media analyst.
For example, tracking down all customer information inside an organization can be difficult, with data often kept in silos—such as spreadsheets on individuals’ computers. How do you keep detailed records, give customers access to their data, and erase their data, if you don’t even know where that data is?
How can you be sure that everyone in your organization is complying with the rules, like gaining customers’ consent before using their data? And how do you apply extra safeguards for sensitive information if you’re using that dataset for analytics to gain insights into customer behaviors or to provide better services?
Enter Data Governance 2.0
Good data governance processes can help solve these and other problems associated with GDPR compliance. The latest approach, called ‘data governance 2.0’, provides a framework to protect customers’ privacy while allowing the data-sharing that modern enterprises need.
A data governance 2.0 platform is a technology solution that safely stores and segregates datasets, applies rules for the permitted use of data, and supports roles governing who has access to what information. It can also ensure that all parties understand legal accountability and that data use is auditable.
Importantly, a data governance 2.0 platform is an ideal way to help introduce data protection by design. For example, it can facilitate the anonymization of personal information, while allowing governed access to secured data sets for analytics and tokenized matching.
With the introduction of GDPR, the expectations that organizations will protect customer data are higher than ever. But with a data governance 2.0 platform, you can meet those expectations and gain a competitive advantage—now and in the future.
For more information on how a platform such as Data Republic can help your business, see our blog post ‘How Data Governance 2.0 Can Boost Business Performance or our ebook on data governance