What is GDPR?
The European Commission has introduced the General Data Protection Regulation (GDPR) which will be implemented on 25th May, 2018.
The regulation has mainly been implemented in order to:
- Force companies to be clearer on their data collection and usage of personal information
- Improve data protection and prevent data infringement
- Establish improved control and reactivity to prevent data leakage
GDPR not only affects companies which deal with sensitive data, such as the health and finance sectors, but all companies which deal with personal information, being the majority of companies today. Although GDPR is a European regulation applying to European companies, it will also apply to other countries that deal with and manage data of European citizens.
The GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date. If inaccurate, rectified without delay or erased
- kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
- kept in compliance with the GDPR, which must be demonstrable by the company holding the data
Consent is a core element of the new data protection law. It is one among several available legal grounds to process personal data. Obtaining an individual's consent in order to process their personal information may seem an easy way to establish a legal basis for processing, however consent is not as straightforward a concept as it may at first appear, particularly when it is not clear what conditions must be met for that person's consent to be effective.
What are the consequences and risks?
- Fines incurred: European companies will be subject to a fine which could be up to 4% of the company’s overall business, or up to 20 million euros.
- Organisations which have been affected will be required to notify customers within 72 hours in the case of non-compliance.
Adhering to the new regulation is important for both the transparency of client data usage, which includes the implementation of a data loss protection (DLP) scheme, as well as the documentation of data processes.
How to ensure and demonstrate compliance
In order to comply with the GDPR, both internal processes and IT systems must be updated to follow the above main principles. Public institutions and larger enterprises will have to engage a Data Protection Officer (DPO) and they will need to demonstrate compliance in terms of a Data Privacy Impact Assessmentwhen introducing new policies and systems.
All in all, this cross-organizational effort, which has to report to the top management requires advanced tools to avoid overloading the organization.
Policy Automation Tool
Oracle Policy Automation (OPA) is an end-to-end industry-leading solution for capturing, managing, and deploying complex legislation and other document-based policies across channels and processes. OPA has the following key areas of capabilities:
- Transform legislation and policy documents into executable and maintainable rules in any language
- Deliver guided interview experiences using modeled natural language policies, for self-service and call center
- Empower policy owners to quickly assess the impact of existing and proposed policy using real business rules and real business data
- Achieve complete consistency across delivery channels using standard web services architecture and pre-packaged integration
This ensures businesses are able to:
- Achieve consistency across multiple channels (web, mobile, contact center and face to face)
- Provide detailed decision reporting to understand how decisions are reached
- Assess impact of policy changes
- Reduce cost through integration with major platforms both legacy and modern systems