The European Union General Data Protection Regulation (GDPR) represents a broad new approach to customer privacy. GDPR currently applies to companies who have or process personally identifiable information (PII) of individuals located in the European Union, but it represents a global trend that is already being implemented in other countries. These and similar new laws will have lasting effects on the way global corporations do business.
Regulatory compliance has affected organizations around the world for decades, and with our digital economy, IT is now at the center of the effort. Compliance isn’t easy when access, retention, and deletion of data throughout an enterprise are involved. Indeed, ESG has determined that 65% of organizations that have been subject to regulatory agency audits have failed part of one at least once in the past five years due to issues with data access or retention. Past audits, increasing stakeholder pressure, and new data protection regulations are leading to new concerns for IT managers and their teams.
GDPR touches on many different aspects of how an enterprise manages PII, including:
Personal consent and data management: Since GDPR took effect, businesses must have, in certain instances, their clients’ expressed permission via “opt-in” before logging any data. When requesting consent, firms must outline the purpose for which the data will be collected, and they may need to seek additional consent to share information with third parties. This change in regulation means many businesses must reexamine their CRM and database management systems to ensure they are maintaining the required records in the proper ways. For instance, are a minimum number of data copies being retained for a minimum amount of time and are all forms of personally identifiable information, including pictures and videos, being anonymized through encryption or other means?
Data access and the right to be forgotten: GDPR gives consumers significant control over their private data including the right to access, review, and correct it on demand. Consumers can similarly, under certain circumstances, request the removal of their personal information as well, a process known as the right to be forgotten.
Data breaches and notifications: GDPR ups the ante significantly in the case of a data breach. In certain instances, data controllers must report incursions to the relevant data protection authority within 72 hours for certain types of data breaches that are likely to result in a risk to people’s rights and freedoms and to provide details regarding the nature and size of the breach. Additionally, if a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says data controllers must inform those concerned directly and without undue delay. For serious violations, companies may be fined amounts up to the greater of 10 million Euros or 2% of their global turnover.
Processors and vendor management: Enterprises are increasingly relying on outsourced development and support functions, so the private consumer data they maintain is often accessed by external vendors. Whenever a data controller uses a data processor to process personal data on their behalf, a written contract needs to be in place between the parties. Such contracts ensure both parties understand their obligations, responsibilities, and liabilities. Similarly, non-EU organizations working in collaboration with companies serving EU citizens need to ensure adequate contractual terms and safeguards while sharing data across borders.
How Oracle Engineered Systems May Help Customers Meet GDPR Requirements
There is no “silver bullet” for meeting GDPR requirements. An organization’s internal processes will have as much or more impact on their ability to become GDPR compliant than the hardware and software that they use to process and protect their data. However, software and hardware can play a beneficial role that supports an organization’s compliance efforts.
The Enterprise Strategy Group, a leading IT analyst, research, validation, and strategy firm has authored a report that looks at how the combination of Oracle Database, Oracle Software, and Oracle Engineered Systems, specifically Exadata and Recovery Appliance, may help customers meet GDPR and similar data protection compliance requirements. ESG examined how the combined capabilities of these software and hardware products may help customers develop and maintain internal processes that simplify their efforts to meet GDPR compliance requirements. Engineered Systems work together to deliver greater efficiency and flexibility to production and data protection environments alike. These solutions give customers powerful tools that can be used to strengthen their compliance efforts.
ESG outlined 10 ways that Oracle Database, Software, and Engineered Systems may help customers meet GDPR requirements and protect consumer data. Specifically, while a significant portion of GDPR compliance involves improving business processes and ensuring broad participation across an organization, the data-centric nature of GDPR makes it imperative to look at mission-critical databases because many of them contain PII.
The ten ways that ESG identified where Oracle Engineered Systems may help customers create and maintain their compliance processes include:
To discover and learn more how Engineered Systems can solve your GDPR and meet data regulation requirements, read the full ESG report.