It’s not a sexy subject but GDPR (the European Union General Data Protection Regulation) is coming, and it’s on everybody’s mind. With the enforcement date looming (25 May 2018), organizations that are not compliant could face some hefty fines.
These new regulations are here to replace the 1995 data protection directive and standardize data privacy laws across the EU so that all EU citizens are protected by the same data policy laws.
What are the key changes
- The GDPR’s influence will extend beyond the EU to organizations in any country processing EU citizens’ data.
- Penalties for a serious breach could be as much as 4% of a company’s global turnover per annum or 20 million Euros, whichever is higher, as per Article 83.
- Customers must be alerted ASAP about any breaches, (and DPAs within 72 hours)
- In a bid to empower “data subjects” (customers) and to move towards data transparency, everyone will have a right to a copy of their data free of charge, to move their data between “controllers” (companies/organizations), to know why “controllers” are using it as well as the right to Article 17 “Data Erasure” – ‘the right to be forgotten’ – to have their data deleted.
- Privacy is no longer an afterthought; “privacy by design” means that controllers need to have data protection in mind when designing their systems and processes e.g. double opt-ins and data security measures.
- Article 23 means no more hoarding and it’s on a need-to-know basis: controllers must conduct data minimization and only hold and process data that is necessary and provide limited access to those who need it.
- Instead of notifying your local Data Protection Authority (DPA) of your data processing activities (which can be a bit of a pain), with GDPR you will just need to keep your own internal records.
- For those whose processing operations need regular monitoring of “data subjects” on a large scale or of special categories of data, a Data Protection Officer (DPO) will need to be appointed. A DPO could be a colleague or someone external with the appropriate professionalism and expertise. They will report to the top and be in contact with the DPA and must avoid taking part in tasks that could cause any conflicts of interest.
But what about Brexit?
GDPR’s reach includes any organization that processes EU citizens’ data even outside of the EU and although the jury is still out on what the UK’s legal equivalent will be for UK citizens’ data after Brexit, it’s assumed it will closely follow GDPR. So even if your data activities are limited to the UK, it’s worth your while to get in line.
So, what can you get fined for?
Examples include not getting sufficient consent to process someone’s data, not adhering to Privacy by Design, not having your records in order, not notifying the correct authorities and data subjects about a breach and not conducting an impact assessment. The behaviour and attitude of an organization will impact how much the fine may be.
- Executive Leaders – “controllers”
- Newly appointed DPOs – “controllers”
- Marketing teams – “controllers” and “processors”
- Data managers and architects – “controllers”
- Data users – “processors”
What does this all actually mean?
Clear consent and double opt-ins are key! It will be illegal to have unclear and ambiguous opt-ins or terms and conditions. Data collection and processing now needs to be purposeful and transparent; everything collected and processed has to be justifiable. Data protection is no longer a part of the finishing touches; data protection has to be part of the plan from the very beginning and not an afterthought. And it’s interesting to note that you can’t keep your head in the clouds about GDPR either because this all applies to cloud services too!
How can Exasol help?
Exasol’s in-memory technology not only promises real-time analytics:
- It helps you manage your users and roles by managing access to database objects and using roles and hierarchies to manage lots of users.
- It enables you to create programmable views using a powerful data virtualization framework with Column Level Security and Row Level Security capabilities for an incredibly precise control over your data’s security.
- It allows you to thoroughly audit all your database activity by automatically keeping a log, enabling you to track who, what where and when data is accessed.
- It allows you to protect your data: with in-built encryption options for your data in rest and motion.
To ask questions and to find out more about Exasol’s high performance database get in touch. And for a deeper explanation and a more technical insight into how Exasol completes your GDPR compliant data landscape keep an eye out for my colleague Jens Graupmann’s article coming soon.
Further reading sources include: