AS you may know already, the European Union General Data protection Regulation (GDPR) will reform, modernize and it replaced the 1995 EU Data Protection Directive. The objective is to harmonize data protection rules across 20 EU member states by creating a single, comprehensive EU data protection framework for the processing of and free flow of data with a one=stop shop mechanism for enforcement. The reform aims to give control to EU citizens and strengthen consumer trust in digital economy.
The new law has been voted and published in 2016 and will be effective on May 25th 2018. However, according to Gartner, more than 50% of companies affected by GDPR will not be in full compliance with its requirements.
Why Care ?
Because GDPR applies to all organizations established in the EU, and ALSO applies to organizations established outside the EU who offer goods and services to EU citizens or monitor the behavior of EU citizens. Application of GDPR application is not sector specific.
- The GDPR introduces fines of up to 20 million, or 4% of worldwide annual turnover, whichever is higher
- The GDPR allows individuals to seek monetary damages in court
- Enforcement activities by Data Protection Authorities will increase. Data protection breaches will make the headlines sooner.
If your company is based outside EU and you do not interact with EU citizens, I would expected similar legislation in North America soon. With Facebook – Cambridge Analytica scandal. Facebook has tens of thousands of apps that are connected to Facebook accounts. Users of those apps provided information – their information ( as well as information of their Facebook friends) was originally collected for research in 2013 and then improperly sold by the researcher to Cambridge Analytica. Mark Zuckerberg testified before Congress and European Parliament
Legal Justification for Processing Personal Data
- We must have a legal justification in order to process Personal Data
- What are the legal Justification?
- Consent: The individual has consented to the processing
- Contracts: The processing is necessary
- IN RELATION TO A CONTRACT WHHC THE INDIVIDUAL HAS ENTERED INTO
- BECAUSE THE INDIVIDUAL HAS ASKED FOR SOMETHING TO BE DONE SO THEY CAN ENTER INTO A CONTRACT
- Legal obligation: The processing is necessary because of the legal obligation that applies (money laundering regulations, employments lass, etc.
- Legitimate Interest: The processing is necessary for the purpose of the legitimate interest pursues (Marketing communications)
Sitecore Delivers personalized experiences across the channels of today, interchange data to and from devices, campaigns, or third-party sources like CRMs, POS or ERPs. This is why is so difficult to understand data and make sure to follow all GDPR requirements such as right to be forgotten, data portability, the right to rectification. We must take of all data not only stored within Sitecore, but all data collected by Sitecore and possibly interchanged with other systems.
GDPR Top 10 Issues
1.Understanding Our Data – Data Mapping and Justification for Processing
3.Data Breach Reporting
4.Contracts- Customers and Vendors
5.Data Subject Rights (“DSAR”)
6.Training and Awareness/Appointment of DPO
8.Privacy in Day-to-Day operations/Privacy by Design/DPIAs