The EU General Data Protection Regulation explained...
The EU General Data Protection Regulation (GDPR) comes into effect on May 25th 2018.
For those still getting to grips with what it means, we sat down with Alessandro Vallega, security and GDPR business development director for Oracle EMEA, to help get some answers to frequently asked questions about GDPR.
What is GDPR?
The EU General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. It applies to all organizations inside the EU and any outside who handle and process data of EU residents. It is intended to strengthen data protection and give people greater control over how their personal information is used, stored and shared by organizations who have access to it, from employers to companies whose products and services they buy or use. GDPR also requires organizations to have in place technical and organizational security controls designed to prevent data loss, information leaks, or other unauthorized use of data.
Why is GDPR being introduced?
The EU has had data protection laws in place for over 20 years. However, in that time, the level of personal information in circulation has grown dramatically, and so have the different channels through which personal information is being collected, shared and handled. As the volume and potential value of data has increased, so has the risk of it falling into the wrong hands, or being used in ways the user hasn’t consented to. GDPR is intended to bring fresh rigor to the way organizations protect the data of EU citizens, while giving citizens greater control over how companies use their data.
What should organizations do to comply with GDPR?
GDPR does not come with a checklist of actions businesses must take, or specific measures or technologies they must have in place. It takes a ‘what’ not ‘how’ approach, setting out standards of data handling, security and use that organizations must be able to demonstrate compliance with. Given the operational and legal complexities involved, organizations may want to consult with their legal adviser to develop and implement a compliance plan.
For example, while GDPR strictly speaking does not mandate any specific security controls, it does encourage business to consider practices such as data encryption, and more generally requires businesses to have in place appropriate controls regarding who can access the data and be able to provide assurances that data is adequately protected. It also states businesses must be able to comply with requests from individuals to remove or amend data. But it is up to organizations how they meet these requirements and ultimately it is up to them to determine the most appropriate level of security required for their data operations.
What are the penalties for not being compliant with GDPR?
If organizations are found to be in breach of GDPR, fines of up to 4% of global annual revenue or €20 million (whichever figure is highest) could potentially be imposed. Furthermore, given how critical personal data is to a great many businesses the to their reputation damage could be even more significant, if the public believes an organization is unfit to control or process personal information.
Who needs to prepare for GDPR?
Any organization based inside or outside the EU that uses personal data from EU citizens, whether as the controller of that data, such as a bank or retailer with customer data, or a third party company handling data in the service of a data controller, such as a technology company hosting customer data in a datacentre, depending on their respective roles and control over the data they handle.
What personal information is covered by GDPR?
GDPR is designed to give people greater control over personal information which may include direct or ‘real world’ identifiers such as name and address, or employment details, but may also include indirect or less obvious geolocation data or IP address data which could make a person identifiable.
Is GDPR bad for businesses?
Complying with any new regulation may bring additional work and expense but GDPR also gives organizations an opportunity to improve the way they handle data and bring their processes up to speed for new digital ways of working. We are living in a data-driven economy. Organizations need to give consumers the confidence to share data and engage with more online services. Following the requirements of GDPR can help in that regard.
Who should be in charge of GDPR?
GDPR compliance must be a team effort. It is not something that can be achieved in, or by, one part of the organization. Ultimately, its importance is such that CEOs should be pushing their teams and appointed owners across the business to ensure compliance. Almost every part of a business uses and holds data and it only takes one part of the business to be out of alignment for compliance efforts to fail.
How can Oracle help with GDPR compliance?
Oracle has always been a data company and takes very seriously our role in helping organizations use their data in more effective, more secure ways. We have more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Oracle Cloud-Ready Infrastructure and Oracle Cloud solutions are used by leading businesses in over 175 countries and we already work with customers in many heavily regulated industries. We can help customers better manage, secure and share their data with confidence.
For more information, see: