GDPR and the race to comply

With only a year remaining until the EU General Data Protection Regulation (GDPR) goes into effect, enterprises are scrambling to change their data collection and retention practices in order to comply with the new regulations. With the bloom and expansive growth of the digital market – mobile apps, connected devices, wearable technology, and augmented reality, etc. – there are trillion pieces of data collected by the businesses at any given time around the globe. In an excitement of utilizing customer’s personal data for their competitive advantage, businesses often overlook the fact that identifiable data is both, an asset and a liability. In case of a data breach corporations face legal liabilities for the data accessed by the criminals. Up until now the laws and regulations created to protect data privacy were poorly executed, unorganized and rarely resulted in monetary penalties, but all of this is going to change.

 
Timeline
In May 2018 the new EU Data Protection Regulation will come to power firmly establishing a new framework for data protection. Businesses handling data of European Union subjects, regardless of where they are located, will have to be in compliance with the new law or pay heavy penalties -up to four percent of annual turnover. Current technological landscape enables enterprises to do business with customers all over the world, so naturally most of the big and medium size businesses are at risk of noncompliance with the new regulation. Suddenly, Chief Privacy Officer becomes one of the key positions in the company and corporations are racing to review their data collection practices in order to comply with new laws.

 
Microsoft
Just recently Microsoft came under the criticism of European Union data protection authorities for the volume of data that its Windows 10 operating system collects by default. Although Microsoft is taking steps to simplify its data collection and privacy settings, the company received a letter from Article 29 Working Party stating its concerns:

“The Working Party has significant concerns with some of the personal data collected and further processed by Microsoft within the Windows 10 operating system and specifically the default settings or apparent lack of control for a user to prevent collection or further processing of such data.”

The main idea behind the GDPR is to return the control over people’s personal data to people. In the words of Green MEP Jan Philipp Albrecht, who led the European Parliament’s negotiations “Consumers will have to give their explicit consent to the use of their data.”

 
Understanding the Impact
So what are the key elements of the new regulations? One of the most important provisions of GDPR is that GDPR is not confined to the European continent but now applies to all businesses globally who offer their products and services to European citizens. Furthermore, if businesses violate the basic information processing principles or break the rules of cross-border data transfers, they can be fined for up to four percent of company’s total annual turnover. For large international corporations like Microsoft or Google this would mean billions of dollars for non compliance with the law.

Other key provisions in the new law is the data subject’s right to be forgotten – people can ask data controller to erase their personal data in certain situations. The law also allows customers to transfer their data from one company to the other and gives them the right to receive any personal data they provided to the controller. If the customer’s data is no longer necessary for the purpose for which it was collected, it must be erased as soon as possible. Therefore businesses can no longer claim in their privacy policies that they will hold on to customer’s data indefinitely which was a common practice until now. The new law also requires data controllers to notify the appropriate supervisory authority of the personal data breach within 72 hours of learning about the breach and that notification must specify the nature of the personal data breach, how many data subjects were affected, the consequences of the breach and how the breach will be addressed. In addition to that, companies are now required to have a data protection officer if they handle or collect big volumes of sensitive and personal information.

In addition to the above mentioned new provisions, data subject’s consent is probably the most significant challenge for the companies. According to the GDPR,  consent must be “freely given, specific, informed and unambiguous.”  Furthermore, consent must be given in a “clear affirmative action” and “Silence, pre-ticked boxes or inactivity,” is not an adequate form of consent.

Although GDPR might seem an unnecessary burden for the businesses, it does have positive implications in the long run. The unlimited data collection by the companies and improper data safeguards puts businesses at risk of great financial and legal costs in the event of a data breach. The GDPR’s new framework requires greater responsibility in handling customers’ data so that both, data subjects and businesses could have a clear set of guidelines on how to collect, use and store data with minimal risk to both parties. The digital disruption is growing and with it comes the responsibility for the enterprises to treat their customer’s personal data with a newfound respect, even if this respect is born out of the necessity to comply with the law.

Complying with GDPR
Clarip’s AI (Artificial Intelligence) based enterprise SaaS data privacy platform can help organizations easily manage data privacy with minimal investment. You can save millions of dollars in development and implementation costs associated with the GDPR compliance requirements. Schedule a demo today to learn more.

Learn more about the Clarip Platform