The impact of GDPR on companies around the world

In order to create greater coherence throughout the European Union (EU), which offers more regulatory and citizen control over its own personal data, the EU introduced the General Data Protection Regulation (GDPR) on 27 April 2016 to replace the European Directive on data protection. As stated on the European Commission's website: "The objective of this new set of rules is to give citizens control over their personal data and to simplify the regulatory environment for business." Organizations affected by GDPR have been given two years to formulate and implement the policies, procedures and technologies needed to create and maintain compliance. Given that sanctions for non-compliance are unprecedented, organizations need to make the most of their time to be prepared. It is important to note that GDPR applies to all 28 EU Member States and has the full force of law. The regulations apply to the personal data of EU residents, regardless of where they are collected, stored or processed - either inside or outside the EU, even if the organization does not have an official presence in the EU. There are exceptions, GDPR does not apply to the processing of personal data in cases involving national security or "purely personal or domestic activities".

Which organizations are subject to GDPR?

All companies collecting and managing personal data relating to EU residents are subject to GDPR requirements and may be subject to sanctions that may arise in the event of non-compliance. Personal data for GDPR purposes includes customer data, suppliers, service providers, and other people with whom the organization interacts, including how it exchanges data with the supply chain or commercial partner networks. It is essential to remember that non-EU organizations are also subject to GDPR and related non-compliance fines. Any organization that collects personal information about EU residents must adhere to the rules established by GDPR.

What qualifies as personal information under GDPR?

As specified in the Regulation, personal information "means any information relating to an identified or identifiable natural person (" the data subject "); an identifiable individual is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more physical, physiological-, genetic, mental, economic, cultural or social of that individual. "GDPR is intended to cover all personal information that residents typically share in the relationship with any entity.

How does the GDPR modify legal accord for collection and usage of personal data?

The strongest leverage in GDPR is related to the issue of consent. Those who wish to collect personal data will be faced with strict requirements to obtain consent to collect and process information from partners / clients. This includes the requirement for the application for consent to be fully explicit, fully informed and fully transparent about the intention of data usage. The Regulation defines the "agreement" of the data subject - which means any free, specific, informed and unambiguous indication of the person's wishes by which, through a statement or clear affirmation, expresses the consent to the processing of personal data. The GDPR also completes the circle, requiring the consent withdrawal process to be as easy.

What are the rights of the EU citizen under GDPR?

GDPR brings more rights to EU citizens. At any time, they have the right to access information about their personal data managed by "data processors", which simply means any company that keeps or uses the data. They also have the right to request for their data be transferred to another data processor. Perhaps most importantly, and certainly the most frequently quoted, is the right to be forgotten, that is the right to delete data on demand, as well as the right to rectification, the right to correct incorrect data. EU residents can also invoke the right to limit the use of their personal data, for example to avoid contact with digital marketing.

What responsibilities do you have in case of a security breach?

The EU expects any violation that could lead to potential harm to a person be reported to the supervisory authority. It specifies "without undue delay", leaving the "cause" of the delay open to interpretation, and then says "where possible no later than 72 hours from its awareness," which leaves both "the possibility of realization" and the real time of openness to interpretation. Organizations are also required to keep a log of all security breaches. The notification must include the nature of the infringement, the number of subjects involved and the categories and the approximate number of exposed data records. A description of the likely consequences, together with the measures proposed or taken to mitigate the exposure and its possible adverse effects, should also be provided.

What are the potential consequences of non-compliance?

Sanctions for non-compliance with GDPR are not limited to financial damages and fines. However, the financial consequences for non-compliance are certainly significant. Through the project, the fines for non-compliance with GDPR are meant to be "effective and discouraging". Few entrepreneurs and business executives will assume the potential impact of such significant spending. Companies that have not previously been cited for violations may be subject to a fine of two percent (2%) of their worldwide annual income or EUR 10 million, whichever is the higher. Those who have committed previous offenses, depending on the nature of their violation, may be charged up to four percent (4%) of their annual total income or € 20 million, whichever is the higher.

How does GDPR influence legal departments and compliance with laws?

Legal departments need to thoroughly study GDPR to fully understand all their obligations, including new or modified processes, policies, roles, responsibilities, and training needs. This is not just a matter of law and compliance. Rather, it will take a concerted effort of all the entities that are part of an organization and who deal with personal data. Ultimately, all responsibility will become a legal concern, but most departments will be affected and will have responsibility for compliance. Sanctions, as discussed earlier, are high. You are dealing with a regulation that gives people the right to be forgotten. If you make sure that you have fulfilled this right, but still you have that individual in mind, there will be many enforcement agents who want to catch you. All organizations must carefully review each policy, procedure or process that involves personal data to ensure that all privacy requirements are met or exceeded. The best advice for the in-house lawyer is to ensure the involvement of representatives from all departments and areas involved in the compliance effort. This will require rigorous planning on the part of many and you need to make sure that all the other departments we are discussing here join you in allocating the right investments, resources, and experts to the GDPR compliance program.

How does GDPR influence marketing activity?

Thinking in the longer term, marketers should see GDPR as good news, a move towards reducing the overwhelming noise that consumers can bear and an opportunity to deliver well-targeted messages that will be heard. Brands will have to actively collect consent from their customers and prospects to continue promoting and communicating to them. This consent must be "freely given, specific, informed and unambiguous" to comply with the GDPR. Marketing agencies and people will need to find and develop appropriate ways to comply with GDPR, continuing to provide customized products, services and experiences that consumers demand. The classic practice of "collecting as much customer data as possible and then seeing what is being done with them" will become a high-risk strategy, as minimizing data becomes the new paradigm. GDPR tries to reduce or eliminate much of the opt-in, opt-out, and other sneaky consent strategies that marketers use to simply increase the number of contacts they get. Instead, marketers are encouraged to use "opt-in", "opt-out" correctly to result in the transmission of messages to people with a greater chance of receiving them with interest. Properly implemented, GDPR will reduce the number of erroneous sales leads, reduce robot automated frauds, and ultimately eliminate the "hit or miss" approach of many of those who used it in targeting. The goal is to increase efficiency in marketing communication by using a qualified target group.

How does GDPR influence the storage and management of information?

As with other regulations, GDPR has obligations related to storage and management of information so that organizations can effectively report and demonstrate compliance practices. Information capture, storage and management teams will need to establish and implement a clear record keeping policy for personal information, if they do not exist, or update existing policy to reflect GDPR requirements. Updating classification schemes, data storage methods and record keeping programs will probably be necessary to ensure that data transferability, removal or correction is not only possible but also effective. GDPR also provides for records such as: data protection impact assessments, consent records, data processing records, and possible data breaches. Teams dealing with recording, storing and managing information will need to revise, update, and create the policies required by the GDPR and will probably need to increase their vigilance to ensure continued compliance.

How does GDPR modify information technology (IT)?

Originally, GDPR was almost exclusively related to information technology (IT) functions. These regulate the data flow across the organization from the time of collection to the deletion of a customer record and every intermediate processing of that data. According to GDPR, effective processes and systems must be implemented to facilitate correct and accurate execution of portability, deletion, or correction of data whenever necessary. The principles of data protection, both design and implicit, are now mandatory points of discussion with IT partners and vendors when assessing new technology acquisitions. IT decision makers need to look for cloud providers to provide clear and specific assurance on how to meet GDPR requirements, such as their ability to respond to requests for deletion, rectification and portability of data, as well as to specify where they are located in data centers and if personal data is transferred outside the regional boundaries. A significant challenge facing IT organizations everywhere is the need to document all data processing activities and easily compile them when needed. Finally, IT and IT security will play a key role in ensuring that notification procedures for data breaches exist and are followed.

How does GDPR influence human resources?

One of the provisions of the GDPR provides for the right of EU Member States to adopt more specific laws on the operation of employee data. This contributes to a much more complex GDPR administration of employee information than that of customer data management. In the employer / employee relationship, the employer can be seen as having a superior position, therefore, technically speaking, the employee's consent is not "freely given". Employers may not have to collect employee consent for GDPR (as well as for clients) because employers have the option to rely on "legitimate business interest" or as specified in the "other legal laws" such as human resources operations. However, consent would be necessary if processing goes beyond legitimate human resources operations. GDPR requires free and open consent for customer data, but the leverage of an employee wishing to retain the right to an option to consent to the use of his or her personal data complicates the freedom of his or her desires. In addition, the confidential nature of each employee's data will make it considerably more difficult to access his own data. Things like criminal controls, drug examinations, and other investigation data will present other new challenges as well as the transferability provisions that could allow employees to request the transfer of their collected data to a new employer after termination of the employment contract. Human resources organizations will need to seek a legal adviser to fully understand how to operationalize compliance with GDPR in terms of employee and candidate data management.

ECM through OpenText

Enterprise Information Management (EMS) - Enterprise Information Management (EIM) is the key to an effective and accurate GDPR compliance and protection strategy. As a local OpenText partner, Digital Archiving Solutions provides advice on how to comply with the new rules, finding solutions and services that can help protect your personal information, confidentiality, and gain more control over your information.

OpenText, The Information Company ™, enables organizations to gain insight into information management solutions, locally or in the cloud. For more information about OpenText, visit www.opentext.com