The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Because the EU required each member state to implement a Directive into national law, Europe ended up with a patchwork of different privacy laws.
Additionally, increasing security breaches, rapid technical developments, and globalization during the last 20 years have brought new challenges for the protection of personal data. To address these challenges, the EU developed the General Data Protection Regulation (GDPR), which is directly applicable as law across all EU member states.
The GDPR goes into effect May 25, 2018. It will apply to any company that collects and handles personal data from EU-based individuals. Personal data, also known as personal information or personally identifiable information (PII) in other regions, is defined as follows:
Any information relating to an individual that can directly or indirectly be identified by reference to identifiers such as names, identification numbers, location data, online identifiers, or, to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
These new and stronger individual rights, accountability requirements, and increased scrutiny from regulators, including potential fines up to 20 million euros or 4% of a company’s global annual turnover, means companies that collect and use offline and online personal data in the EU will need to update and manage their data handling practices and use cases more carefully than ever.
In this post, I’ll explore some of the GDPR requirements that may be particularly relevant to CX Cloud Service customers, and will discuss some of the privacy and security features available for these service offerings that can help you address these requirements. However, it is important you consult your own legal counsel to understand your GDPR requirements, and to develop and implement a compliance plan designed to meet these requirements.
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The GDPR strengthens existing privacy and security requirements such as notice and consent, technical and operational security measures, and cross-border data flow mechanisms. It's built on established and widely accepted privacy principles such as purpose limitation, lawfulness, transparency, integrity, and confidentiality.
The GDPR also formalizes new privacy principles such as accountability and data minimization, which are reflected throughout the text, included in the following requirements:
Data security: Companies must implement an appropriate level of security, encompassing both technical and organizational security controls to prevent data loss, information leaks, or other unauthorized data processing operations. The GDPR encourages companies to incorporate encryption, incident management, network and system integrity, availability and resilience requirements into their security program.
Data breach notification: Companies must inform their regulators and/or the impacted individuals without undue delay after becoming aware that their data has been subject to a data breach.
Security audits: Companies will be expected to document and maintain records of their security practices, audit the effectiveness of their security program, and take corrective measures where appropriate.
Data subjects are the individuals to whom personal data relates, e.g. your customers or Oracle’s customers. Under the GDPR, data subjects have the following rights:
This encompasses an obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasizes the need for transparency over how personal data will be used.
The right for data subjects to obtain from the data controller confirmation as to whether personal data concerning them is being processed, where and for what purpose.
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
Also known as the “right to be forgotten,” the right to erasure entitles the data subject to:
Under GDPR, individuals have a right to have their personal data ‘blocked’ or suppressed under certain circumstances. When processing is restricted, data controllers are permitted to store the personal data (which differentiates this right from the right to reassure above), but not further process it.
The right to data portability allows individuals to obtain and reuse their personal data they have provided to a data controller for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Individuals have the right to object to the use of their personal data for direct marketing purposes.
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. You should work with your legal counsel to determine whether any of your processing operations constitute profiling or, by extension, profiling involving automated decision-making, and to consider whether you need to update your practices and policies to deal with the corresponding requirements of the GDPR.
Oracle can help you address the new GDPR requirements by leveraging more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Oracle successfully manages business data for thousands of CX customers and tens of thousands of SaaS customers globally.
Oracle CX Cloud Suite provides a consistent and unified data protection regime for global businesses. Built-in privacy and security features put users in control of the personal data they handle, helping them to build consumer trust. We are also actively engaged in product reviews to further assess which additional features and functionalities can be embedded into our applications.
Collecting Personal Data
Oracle CX Cloud Service provides features that enable customers to capture personal data across different channels. Oracle CX Cloud Suite provides controls that you can configured to help meet your specific business requirements, such as providing visibility on when someone is visiting your website, submitting a web form, or sharing personal data across social media channels. You can also configure these controls to help you implement required notice mechanisms that enable customers to make informed decisions about the use of their personal data as part of these data capture processes.
Managing Personal Data
Today’s businesses typically capture vast amounts of personal data. Functional business groups including marketing, sales, and commerce teams require powerful tools that enable them to manage this data at scale. Oracle CX Cloud Suite provides a comprehensive portfolio of features that makes it easy for teams of users and consumers to manage personal data. This includes tools designed to help you update personal data on request, as well as securely transfer personal data at scale leveraging modern APIs and Secure File Transform Protocol (SFTP) mechanisms.
Protecting Personal Data
Businesses have a responsibility to secure personal data they handle. The Oracle CX Cloud Suite is built with native security mechanisms and controls derived from ‘privacy by design and privacy by default’ principles. These controls include encryption and granular access controls that enable organizations to distinguish which individuals or groups should have access to personal data.
Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications. Download this paper to understand how Oracle Cloud Applications can be utilized to help address your GDPR compliance needs.
If you have additional data privacy and security needs beyond the standards and options built into software-as-a-service (SaaS) applications, or you use platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS), Oracle offers additional cloud security solutions and options. These solutions are designed to help protect data, manage user identities, and monitor and audit IT environments. Oracle Cloud customers can also select additional Managed Security Services (MSS) to leverage Oracle expertise in deployment and security technology management to further accelerate your path to GDPR compliance.
Download this paper to understand how Oracle Database Security technology can help accelerate your response to GDPR: Addressing GDPR Compliance with Oracle Database Security Products.
· Related: Visit Oracle’s GDPR Resource Center