X

Helping You Deliver Tomorrow’s CX, Today

Understanding How Oracle CX Cloud Suite Can Help You Prepare for GDPR

Nathan Joynt
CX Cloud Business Group

What is the General Data Protection Regulation (GDPR)?

The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Because the EU required each member state to implement a Directive into national law, Europe ended up with a patchwork of different privacy laws.

Additionally, increasing security breaches, rapid technical developments, and globalization over the last 20 years have brought new challenges for the protection of personal data. To address these challenges, the EU developed the General Data Protection Regulation (GDPR), which is directly applicable as law across all EU member states.

Why does the GDPR matter to our customers and to Oracle?

The GDPR goes into effect May 25, 2018.  It will apply to any company that collects and handles personal data from EU-based individuals. Personal data, also known as personal information or personally identifiable information (PII) in other regions, is defined as follows:

Any information relating to an individual that can directly or indirectly be identified by reference to identifiers such as names, identification numbers, location data, online identifiers, or, to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

These new and stronger individual rights, accountability requirements, and increased scrutiny from regulators, including potential fines up to 20 million euros or 4% of a company’s global annual turnover, means companies that collect and use offline and online personal data in the EU will need to update and manage their data handling practices and use cases more carefully than ever.

In this blog post, we’ll be exploring some of the GDPR requirements that may be particularly relevant to CX Cloud services customers, and will discuss some of the privacy and security features available for these service offerings that can help you address these requirements. However, it is important you consult your own legal counsel to understand your GDPR requirements, and to develop and implement a compliance plan designed to meet these requirements.

Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

  • Data subjects are living EU citizens to whom personal data relates.
  • Organizations within and outside Europe leveraging EU data subjects must be GDPR compliant.
  • Controllers or organizations that collect data and determine the use, conditions and means of processing personal data must be GDPR compliant.
  • Processors or organizations that process data on behalf of controllers must be GDPR compliant.

Data Subject rights, and other key requirements of GDPR

The GDPR strengthens existing privacy and security requirements such as notice and consent, technical and operational security measures, and cross-border data flow mechanisms. It’s built on established and widely accepted privacy principles such as purpose limitation, lawfulness, transparency, integrity and confidentiality.

The GDPR also formalizes new privacy principles such as accountability and data minimization, which are reflected throughout the text, included in the following requirements:

Data security
Companies must implement an appropriate level of security, encompassing both technical and organizational security controls to prevent data loss, information leaks, or other unauthorized data processing operations. The GDPR encourages companies to incorporate encryption, incident management, network and system integrity, availability and resilience requirements into their security program.

Data breach notification
Companies must inform their regulators and/or the impacted individuals without undue delay after becoming aware that their data has been subject to a data breach.

Security audits
Companies will be expected to document and maintain records of their security practices, audit the effectiveness of their security program, and take corrective measures where appropriate.

Data Subject Rights

Data Subjects are the individuals to whom personal data relates, e.g. your customers or Oracle’s customers. Under the GDPR Data Subjects have the following rights:

1. Right to be informed
This encompasses an obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasizes the need for transparency over how personal data will be used. 

​2. Right of Access
The right for data subjects to obtain from the data controller confirmation as to whether personal data concerning them is being processed, where and for what purpose.

3. Right to Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. 

4. Right to Erasure
Also known as the “right to be forgotten,” the right to erasure entitles the data subject to:

- Have the data controller erase his/her personal data.
- Cease further dissemination of the data.
- Potentially have third parties halt processing of the data.

5. Right to Restrict Processing
Under GDPR, individuals have a right to have their personal data ‘blocked’ or suppressed under certain circumstances. When processing is restricted, data controllers are permitted to store the personal data (which differentiates this right from the right to reassure above), but not further process it. 

6. Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data they have provided to a data controller for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

7. Right to Object
Individuals have the right to object to the use of their personal data for direct marketing purposes.

8. Right in Relation to Automated Decision Marketing and Profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. You should work with your legal counsel to determine whether any of your processing operations constitute profiling or, by extension, profiling involving automated decision making, and to consider whether you need to update your practices and policies to deal with the corresponding requirements of the GDPR.

How is Oracle prepared to help?

Oracle can help you address the new GDPR requirements leveraging more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Oracle successfully manages business data for thousands of CX customers and tens-of-thousands of SaaS customers globally.

The Oracle CX Cloud Suite provides a consistent and unified data protection regime for global businesses. Built-in privacy and security features put users in control of the personal data they handle, helping them to build consumer trust. We are also actively engaged in product reviews to further assess which additional features and functionalities can be embedded into our applications or made available to.

Collecting Personal Data
Oracle CX Cloud services provide features that enable customers to capture personal data across different channels. Oracle CX Cloud Suite provides controls that can be configured by you to help meet your specific business requirements such as providing visibility on when someone is visiting your website, submitting a web-form, or sharing personal data across social media channels. These controls can also be configured to help you implement required notice mechanisms that enable your end-user customers to make informed decisions about the use of their personal data as part of these data capture processes. 

Managing Personal Data
Today’s businesses typically capture vast amounts of personal data. Functional business groups including marketing, sales and commerce teams require powerful tools that enable them to manage this data at scale. The Oracle CX Cloud Suite provides a comprehensive portfolio of features that makes it easy for teams of users and consumers to manage personal data. This includes tools designed to help you update personal data on request, as well as securely transfer personal data at scale leveraging modern APIs and Secure File Transform Protocol (SFTP) mechanisms. 

Protecting Personal Data 
Businesses have a responsibility to secure personal data they handle. The Oracle CX Cloud Suite is built with native security mechanisms and controls derived from ‘privacy by design and privacy by default’ principles. These controls include encryption and granular access controls that enable organizations to distinguish which individuals or groups should have access to personal data.

Additional GDPR Resources

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications. Download this paper to understand how Oracle Cloud Applications can be utilized to help address your GDPR compliance needs. 

Security Solutions

If you have additional data privacy and security needs beyond the standards and options built into software-as-a-service (SaaS) applications, or you use platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS), Oracle offers additional cloud security solutions and options. These solutions are designed to help protect data, manage user identities, and monitor and audit IT environments. Oracle Cloud customers can also select additional Managed Security Services (MSS) to leverage Oracle expertise in deployment and security technology management to further accelerate your path to GDPR compliance.

Addressing GDPR Compliance with Oracle Database Security Products. Download this paper to understand how Oracle Database Security technology can be utilized to help accelerate your response to GDPR.

Visit Oracle's GDPR Resource Center

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services