GDPR: In force from today for clients – and contractors
Contractors, whether your client company is already operating in the EU or has expansion plans there in the future, today’s GDPR rules have a profound impact on how all UK organisations handle, manage, and use consumer data, writes Florian Douetteau, CEO of software company Dataiku.
Background:
- From today, Friday May 25th 2018, the General Data Protection Regulation (GDPR) will come into effect. This new, sweeping regulation gives consumers control of how organisations use their personal data, requires opt-in consent, and makes it necessary for companies to remove their information from databases almost instantly if they ask for it – which presents enormous technical difficulties.
- Businesses will no longer be able to claim ownership of customer data, instead they will be custodians of it. This fundamentally changes how a business handles this data.
- Businesses will need to have complete transparency across all of their data ‘actions’ and provide this information to the consumer almost instantly.
- The regulation applies if the Data Controller or Processor or the data subject (person) is based in the EU. Essentially, any company that does business in the EU, must be GDPR-compliant, regardless of Brexit.
- The penalty for not complying can lead to fines of up to €20 million or 4% of global annual turnover.
If you haven’t looked at strategies for GDPR-compliance, you’re very much behind the curve because it represents a significant change in how data will be handled around the world.
Despite it being in force from today, if you’re still not quite sure where to begin, we have prepared a white paper full of practical guidance.
It contains a short introduction to the GDPR's key terms and concepts; a look at the GDPR's biggest compliance challenges, and tips to overcome those challenges plus insights from a legal and software perspective.
After reading, if you’re still feeling overwhelmed by the various provisions and stipulations of the regulations, here’s a vote of confidence: most of them boil down to one simple thing -- data governance. And by putting solid data governance practices in place, you’ll be well on your way to compliance.
Why data governance? Well, one of the most daunting things about the GDPR is that organisations already have accumulated massive amounts of data (some of it copied many times over and used in countless different information systems), and the regulations apply not just going forward, but retroactively as well.
The way many businesses today manage data (or rather … don’t manage it), a simple right to be forgotten request from an EU user -- something with which you’ll have to comply under today’s GDPR -- becomes extremely complicated and operationally disruptive. In other words, if you or your client’s underlying system is not built in such a way that you can trace specific pieces of data, for customer requests, audits etc., GDPR becomes exponentially more complicated. Fortunately, data governance holds a lot of the answers.
As many GDPR experts have rightly pointed out, becoming GDPR-compliant is both a matter of preparing your data /your client’s data, but also preparing the processes for how you handle, manage and use that data. Companies must be sure that they can provide the full lineage of their data, meaning that when they create something from data, they – or you as their data-processor -- must be able to go back in time and determine which particular data you used and how.
Ultimately, that means building new systems for managing, tracing, and controlling data and its use throughout the organisation. Little wonder, then, that some IT contractors will no doubt be seen today rubbing their hands together!