The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Because the EU required each member state to implement a Directive into national law, Europe ended up with a patchwork of different privacy laws.
Additionally, increasing security breaches, rapid technical developments, and globalization over the last 20 years have brought new challenges for the protection of personal data. To address these challenges, the EU developed the General Data Protection Regulation (GDPR), which is directly applicable as law across all EU member states.
The GDPR goes into effect May 25, 2018. It will apply to any company that collects and handles personal data from EU-based individuals. Personal data, also known as personal information or personally identifiable information (PII) in other regions, is defined as follows:
Any information relating to an individual that can directly or indirectly be identified by reference to identifiers such as names, identification numbers, location data, online identifiers, or, to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
These new and stronger individual rights, accountability requirements, and increased scrutiny from regulators, including potential fines up to 20 million euros or 4% of a company’s global annual turnover, means companies that collect and use offline and online personal data in the EU will need to update and manage their data handling practices and use cases more carefully than ever.
In this blog post, we’ll be exploring some of the GDPR requirements that may be particularly relevant to CX Cloud services customers, and will discuss some of the privacy and security features available for these service offerings that can help you address these requirements. However, it is important you consult your own legal counsel to understand your GDPR requirements, and to develop and implement a compliance plan designed to meet these requirements.
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The GDPR strengthens existing privacy and security requirements such as notice and consent, technical and operational security measures, and cross-border data flow mechanisms. It’s built on established and widely accepted privacy principles such as purpose limitation, lawfulness, transparency, integrity and confidentiality.
The GDPR also formalizes new privacy principles such as accountability and data minimization, which are reflected throughout the text, included in the following requirements:
Companies must implement an appropriate level of security, encompassing both technical and organizational security controls to prevent data loss, information leaks, or other unauthorized data processing operations. The GDPR encourages companies to incorporate encryption, incident management, network and system integrity, availability and resilience requirements into their security program.
Data breach notification
Companies must inform their regulators and/or the impacted individuals without undue delay after becoming aware that their data has been subject to a data breach.
Companies will be expected to document and maintain records of their security practices, audit the effectiveness of their security program, and take corrective measures where appropriate.
Data Subjects are the individuals to whom personal data relates, e.g. your customers or Oracle’s customers. Under the GDPR Data Subjects have the following rights:
1. Right to be informed
This encompasses an obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasizes the need for transparency over how personal data will be used.
2. Right of Access
The right for data subjects to obtain from the data controller confirmation as to whether personal data concerning them is being processed, where and for what purpose.
3. Right to Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
4. Right to Erasure
Also known as the “right to be forgotten,” the right to erasure entitles the data subject to:
- Have the data controller erase his/her personal data.
- Cease further dissemination of the data.
- Potentially have third parties halt processing of the data.
5. Right to Restrict Processing
Under GDPR, individuals have a right to have their personal data ‘blocked’ or suppressed under certain circumstances. When processing is restricted, data controllers are permitted to store the personal data (which differentiates this right from the right to reassure above), but not further process it.
6. Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data they have provided to a data controller for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7. Right to Object
Individuals have the right to object to the use of their personal data for direct marketing purposes.
8. Right in Relation to Automated Decision Marketing and Profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. You should work with your legal counsel to determine whether any of your processing operations constitute profiling or, by extension, profiling involving automated decision making, and to consider whether you need to update your practices and policies to deal with the corresponding requirements of the GDPR.
Oracle can help you address the new GDPR requirements leveraging more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Oracle successfully manages business data for thousands of CX customers and tens-of-thousands of SaaS customers globally.
The Oracle CX Cloud Suite provides a consistent and unified data protection regime for global businesses. Built-in privacy and security features put users in control of the personal data they handle, helping them to build consumer trust. We are also actively engaged in product reviews to further assess which additional features and functionalities can be embedded into our applications or made available to.
Collecting Personal Data
Oracle CX Cloud services provide features that enable customers to capture personal data across different channels. Oracle CX Cloud Suite provides controls that can be configured by you to help meet your specific business requirements such as providing visibility on when someone is visiting your website, submitting a web-form, or sharing personal data across social media channels. These controls can also be configured to help you implement required notice mechanisms that enable your end-user customers to make informed decisions about the use of their personal data as part of these data capture processes.
Managing Personal Data
Today’s businesses typically capture vast amounts of personal data. Functional business groups including marketing, sales and commerce teams require powerful tools that enable them to manage this data at scale. The Oracle CX Cloud Suite provides a comprehensive portfolio of features that makes it easy for teams of users and consumers to manage personal data. This includes tools designed to help you update personal data on request, as well as securely transfer personal data at scale leveraging modern APIs and Secure File Transform Protocol (SFTP) mechanisms.
Protecting Personal Data
Businesses have a responsibility to secure personal data they handle. The Oracle CX Cloud Suite is built with native security mechanisms and controls derived from ‘privacy by design and privacy by default’ principles. These controls include encryption and granular access controls that enable organizations to distinguish which individuals or groups should have access to personal data.
Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications. Download this paper to understand how Oracle Cloud Applications can be utilized to help address your GDPR compliance needs.
If you have additional data privacy and security needs beyond the standards and options built into software-as-a-service (SaaS) applications, or you use platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS), Oracle offers additional cloud security solutions and options. These solutions are designed to help protect data, manage user identities, and monitor and audit IT environments. Oracle Cloud customers can also select additional Managed Security Services (MSS) to leverage Oracle expertise in deployment and security technology management to further accelerate your path to GDPR compliance.
Addressing GDPR Compliance with Oracle Database Security Products. Download this paper to understand how Oracle Database Security technology can be utilized to help accelerate your response to GDPR.