By Alessandro Vallega, Security and GDPR Business Development Director, Oracle EMEA
The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. For those still getting to grips with what it means, let me answer some frequently asked questions.
The EU General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. It applies to all organizations inside the EU and any outside who handle and process data of EU residents. It is intended to strengthen data protection and give people greater control over how their personal information is used, stored and shared by organizations who have access to it, from employers to companies whose products and services they buy or use. GDPR also requires organizations to have in place technical and organizational security controls designed to prevent data loss, information leaks, or other unauthorized use of data.
The EU has had data protection laws in place for over 20 years. However, in that time, the level of personal information in circulation has grown dramatically, and so have the different channels through which personal information is being collected, shared and handled. As the volume and potential value of data has increased, so has the risk of it falling into the wrong hands, or being used in ways the user hasn’t consented to. GDPR is intended to bring fresh rigour to the way organizations protect the data of EU citizens, while giving citizens greater control over how companies use their data.
GDPR does not come with a checklist of actions businesses must take, or specific measures or technologies they must have in place. It takes a "what," not "how" approach, setting out standards of data handling, security and use that organizations must be able to demonstrate compliance with. Given the operational and legal complexities involved, organizations may want to consult with their legal adviser to develop and implement a compliance plan.
For example, while GDPR strictly speaking does not mandate any specific security controls, it does encourage business to consider practices such as data encryption, and more generally requires businesses to have in place appropriate controls regarding who can access the data and be able to provide assurances that data is adequately protected. It also states businesses must be able to comply with requests from individuals to remove or amend data. But it is up to organizations how they meet these requirements and ultimately it is up to them to determine the most appropriate level of security required for their data operations.
If organizations are found to be in breach of GDPR, fines of up to 4% of global annual revenue or €20 million (whichever figure is highest) could potentially be imposed. Furthermore, given how critical personal data is to a great many businesses, the reputational damage could be even more significant, if the public believes an organization is unfit to control or process personal information.
Any organization based inside or outside the EU that uses personal data from EU citizens, whether as the controller of that data (such as a bank or retailer with customer data) or a third party company handling data in the service of a data controller (such as a technology company hosting customer data in a data centre), depending on their respective roles and control over the data they handle.
GDPR is designed to give people greater control over personal information which may include direct or "real world" identifiers, such as name and address or employment details, but may also include indirect or less obvious geolocation data or IP address data which could make a person identifiable.
Complying with any new regulation may bring additional work and expense, but GDPR also gives organisations an opportunity to improve the way they handle data and bring their processes up to speed for new digital ways of working. We are living in a data-driven economy. Organizations need to give consumers the confidence to share data and engage with more online services. Following the requirements of GDPR can help in that regard.
GDPR compliance must be a team effort. It is not something that can be achieved in, or by, one part of the organization. Ultimately, its importance is such that CEOs should be pushing their teams and appointed owners across the business to ensure compliance. Almost every part of a business uses and holds data and it only takes one part of the business to be out of alignment for compliance efforts to fail.
Oracle has always been a data company and takes very seriously our role in helping organizations use their data in more effective, more secure ways. We have more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Oracle Cloud solutions are used by leading businesses in 175 countries and we already work with customers in many heavily regulated industries. We can help customers better manage, secure and share their data with confidence.