The rules around customer information are all about to change. Starting with the May 25, 2018 effective date of the European Union’s General Data Protection Regulation—better known as GDPR—businesses worldwide are shifting their approaches to data security. Though it’s an EU regulation, it impacts anyone who does business with European citizens in Europe, including companies with websites that are available in Europe. In other words: almost everybody.
“All global companies and all employees of global companies can benefit from understanding GDPR,” says Brian Clayton, Conduent Associate General Counsel and Chief Privacy Officer. “This isn’t just about a far-reaching regulation, it is about understanding the implications and ensuring your company is well-positioned for future changes regarding data privacy.”
If you need a basic primer, start at the European Commission’s GDPR Infographic. While aimed at small- and medium-sized enterprises (SMEs), this infographic is one of the clearest and most readable overviews of the regulations that we’ve seen and the information applies to businesses of all sizes.
Tune in to Forrester’s GDPR episode of their popular “What It Means” podcast to hear Principal Analyst Fatemeh Khatibloo offer pragmatic guidance on how companies can prepare for compliance. Well worth a listen: Khatibloo’s comprehensive explanation of how GDPR is converting privacy as a human right to a force of market disruption.
A DPO is a Data Protection Officer, and in some cases the GDPR requires companies to have one. This Gartner article makes a compelling case for how data and analytics leaders can use GDPR changes to increase the business value of data by advocating for a mandate to drive value within the DPO role.
Did you know the consequences of failing to appoint a DPO can lead to major ramifications? Think administrative fees as high as €10,000,000 or 2% of a company’s worldwide turnover, depending on which amount is higher. This article from a UK law firm offers a perspective on why some people feel the DPO requirement is a burden for this very reason, among others.
Under the GDPR, any individual has a right to make a Subject Access Request, or SAR, to an organization that holds their personal data. Businesses must provide an answer or face a potential fine. The publication GDPR Report offers a good explanation.
SARs have their share of detractors. This Data Protection Network opinion column walks through some of the challenges Data Compliance Officers and DPOs will face, like tight time constraints and the need to properly identify each and every individual request as an SAR before proceeding, because not every ask qualifies.
While the GDPR didn’t invent the Right to be Forgotten (RTBF), it does define new rules about it. This right is well established in Europe but may be unfamiliar to American audiences. The GDPR Report is a good place to start learning about what new laws under RTBF will mean for businesses and their IT infrastructures.
The GDPR grants consumers a right to obtain an explanation when an algorithm makes a decision that affects them. So what happens when AI follows an algorithm that’s unintelligible to humans? This opinion column argues that the GDPR imposes unnecessary restraints—and policymakers should create technology-neutral rules to avoid unnecessarily distorting the market by favoring human decisions over algorithmic ones.
The short answer: Yes. Read this interpretation from the Program on Corporate Compliance and Enforcement at the NYU School of Law to learn more about how GDPR may encompass a large subset of U.S. organizations that would not ordinarily expect to be subject to European data privacy laws, such as smaller organization for those that deal with relatively small amount of data originating in the EU.
It could take years to fully understand GDPR’s impacts, but it is critical for global businesses to understand what it is and how to comply. But more importantly, to think about what this means for the future of data privacy and protection so that your company does not need to scramble to meet future requirements—or worse, to be thrown into the spotlight for a data privacy issue that could have been avoided.