Tag Archives: GDPR
Examining the Impact of GDPR One Year In
GDPR and Privacy Policies
One of the principle goals of GDPR is to encourage transparency, which means companies are now required to disclose how they’re using their subscribers’ and website visitors’ information — and they must do so in a way that is clear and simple. According to one infamous study, it would take roughly 76 work days to read all the privacy policies we encounter in a year (2), so the goal is to reduce that number drastically.
Under GDPR, each organization’s privacy policy must be easily accessible, concise, transparent, intelligible, and free of charge to access. It must be written in clear language that is easy to understand, so you should also clearly define any ambiguous or confusing terminology you’ll be using and avoid legalese wherever possible. Further, each online form must also include a clear link to the company’s privacy policy.
Lastly, if the organization will be collecting data from third-party sources, they are required to provide additional information about the data and its source.
Is GDPR Working?
Initially, business leaders and experts from different fields were extremely excited about GDPR. Speaking with Verdict of the potential impact of GDPR, Giles Pratt (IP and technology partner at Freshfields) said,
“The EU regulators have introduced a pioneering piece of legislation that looks likely to set the bar for data privacy standards around the world, and offers opportunities for closer working practices among international privacy professionals in business and the regulators they engage with.”
Yet while the road to GDPR compliance is slowly being paved with good intentions, early returns suggest many companies still have a long journey ahead of them on their path to compliance. Since the legislation took effect in May of 2018, there have been more than 200,000 reports of minor and major GDPR breaches in over 30 countries according to a report published by the European Data Protection Board — which consists of numerous regulators from across the region. In all, roughly $ 56 million in fines have been doled out by various watchdog groups, but $ 50 million of that came from a single fine for Google (3).
According to Mathias Moulin, a panel member of the CNIL (the French watchdog group that handed down the fine to Google), the fine was based on a “massive and highly intrusive” breach and was based on several different factors — including the “scale… and the size of the company.” While the fine was merely a drop in the bucket for a company like Google, which boasted $ 137 billion in revenue in 2018, Moulin suggests that the past year “should be considered a transition year.”
That statement suggests that we can expect there to be stronger monitoring and enforcement of GDPR, which serves as a warning to organizations that have not yet prioritized GDPR compliance in their marketing efforts. It seems fair to give businesses (especially small- to mid-sized businesses) more time to implement better procedures for GDPR compliance before handing out major fines, but that time could be quickly running out as GDPR moves into its second year. Therefore, it’s important that you do your best to become GDPR compliant as soon as possible — for both the health of your business and the confidence and security of your customers.
Expert Interview (Part 3): James Kobielus on the Future of Blockchain, AI, Machine Learning, and GDPR
Since Syncsort recently joined the Hyperledger community, we have a clear interest in raising awareness of the Blockchain technology. There’s a lot of hype out there, but not a lot of clear, understandable facts about this revolutionary data management technology. Toward that end, Syncsort’s Integrate Product Marketing Manager, Paige Roberts, had a long conversation with Wikibon Lead Analyst Jim Kobielus.
In the first part of the conversation, we discussed the basic definition of what the Blockchain is, and cut through some of the hype surrounding it. In the second part, we dove into the real value of the technology and some of the practical use cases that are its sweet spots. In this final part, we’ll talk about the future of Blockchain, how it intersects with artificial intelligence and machine learning, how it deals with privacy restrictions from regulations like GDPR, and how to get data back out once you’ve put it in.
Roberts: Where does Blockchain go from here? What do you see as the future of Blockchain?
Kobielus: It will continue to mature. In terms of startups, they’ll come and go, and they’ll start to differentiate. Some will survive to be acquired by the big guys, who will continue to evolve their own portfolios, while integrating those into a wide range of vertical and horizontal applications.
Nobody’s going to make any money off of Blockchain itself. It’s open source. The money will be made off of cloud services, especially cloud services that incorporate Blockchain as one of the core data platforms.
Believe it or not, you can do GDPR on Blockchain but, here’s the thing: the GDPR community is working out exactly what you can do to delete the data records consistently on the Blockchain. Essentially, you can encrypt the data and then delete the key.
Right. If you can’t decrypt it, you can’t ever read it.
Yeah. Inaccessible forever more in theory. That’s a possibility of harmonizing Blockchain architecture with the GDPR and other mandates that require the right to be forgotten. The regulators also have to figure out what is Kosher there. I think there will be some reconciliation needed between the techies pushing Blockchain, and the regulators trying to enforce the various privacy mandates.
Just as important in terms of where it’s going, Blockchain platforms as a service, PAAS, will become ever more important components of the data providers overall solutions. Year by year, you’ll see the Microsofts, IBMs and Oracles of the world evolve Blockchain-based Cloud services into fairly formidable environments.
There are performance issues, in terms of speed of updates with Blockchain now, but I also know that there is widespread R & D to overcome those. VMWare just announced they’re working on a faster consensus protocol, so that different nodes on the Blockchain can come to consensus rapidly, allowing more rapid updates to the chain. Lots of parties are looking for better ways to do that. So, maybe it might become more usable for transactional applications in the future.
Blockchain deployment templates are going to become the way most enterprise customers power this technology. AWS and Microsoft already offer these templates for rapid creation and deployment of a Blockchain for financial or supply chain or whatever. We’re going to see more of those templates as the core way in which people buy, in a very business friendly abstraction. There will be a lot of Blockchain-based applications for specific needs. We’ll see a lot of innovation in terms of how to present this technology and how to deliver it so that you don’t have to understand what a consensus protocol is or really give a crap about what’s going on in the Blockchain itself. It should be abstracted from the average customer.
More in terms of going forward, you’ll see what I call “Blockchain domain accelerators.” There are Blockchain consultants everywhere now. There are national Blockchain startup accelerators. There are industry-specific Blockchain startup accelerators. There are Blockchain accelerators in terms of innovation of cryptocurrency and Internet of Things. We’re going to see more of these domain accelerator industry initiatives come to fruition using Blockchain as their foundation. They’ll analyze and make standards of how to deploy, secure and manage this technology specific to industry and use case requirements. That definitely is the future.
As I mentioned before, it will become a bigger piece of the AI future, because of Blockchain-based distributed marketplaces for training data. Training data for building and verifying machine learning models for things like sentiment analysis has real value. There’s not many startups in the world that would have massive training datasets already. To build the best AI, you’ll need to go find the best training datasets for what you’re working on.
I talked about that a little with Paco Nathan at Strata, how labelled, valid, useful training datasets were incredibly valuable now, and AI companies recognize that. They will share their code with you, but not their data, not for free.
I really think you’ll see a lot more AI training dataset marketplaces with Blockchain as the backing technology. It’s going to become a big piece of the AI picture.
Blockchain security is another big thing going forward. The Blockchain is the weak link is in protecting your private keys, which provide you with secure access to your cryptocurrencies that are running out of the chain. What we’re going to see is that there will be more emphasis on security capabilities that are edge-to-edge in terms of securing Blockchains from the weakest link, which is the end-user managing their keys. I think you’ll start to see a lot of Blockchain security vendors that help you manage your private keys, and also smart contracts. Smart contracts on the Blockchain have some security vulnerabilities in their own right. We’ll see a lot of new approaches to making these tamper-proof. There’s already a lot of problem with fraud.
I think I’ve covered most of the big things I see coming. That is the really major stuff.
One more thing, I’m curious about since Blockchain is still fairly new to me. There’s a lot of conversation about how you store data on the Blockchain, and a lot of research into things like securing it, and speeding up update speed, but storing data is only half the story with data management. Once you’ve put all this data in, you have to then get it out. If I’ve got a Blockchain, it has all this information I need, how do I go find and retrieve information from it? Do I use SQL?
There’s a query language in the core Blockchain code base.
So, it has its own specific query language, and people will have to learn a whole other way to retrieve data?
Basically, the core of Hyperledger has got a query language built in. It’s called Hyperledger Explorer. Hyperledger, in itself, is an ecosystem of projects just like Hadoop is and was, that will evolve. It’ll be adopted at various rates, some projects will be adopted widely, and some very little during production Blockchain deployments.
There’s some parallels with early Hadoop. Some of the early things that Hadoop had under their broad scope, they had an initial query language that didn’t take off, they updated that, and improved it with HiveQL. Same thing with Spark. They started out with a query language Shark, and switched to another one, Spark SQL.
We have to look at the entire ecosystem. Over time, some pieces may be replaced by proprietary vendor offerings, or different open source code that does these things better. It’s part of the maturation process. Five years from now, I’d like to see what the core Blockchain Hyperledger stack is. It may be significantly different. It may change as stuff gets proved out in practice.
Yeah, Hadoop changed a lot over the last decade.
Hadoop has become itself just part of a larger stack with things like Tensorflow, R, Kafka for streaming. Innovation continues to deepen the stack. The NoSQL movement, graph databases, the whole data management menagerie continues to grow. We’ll see how the core protocol of Blockchain evolves too. It’s a work in progress, like everything else.
I’ve written a bunch of articles on this. It’s changing all the time.
I’ll be sure to include some links in the blog post, so folks can learn more. I really thank you for taking the time to speak with me. It was really informative.
No problem. I enjoyed it.
Jim is Wikibon’s Lead Analyst for Data Science, Deep Learning, and Application Development. Previously, Jim was IBM’s data science evangelist. He managed IBM’s thought leadership, social and influencer marketing programs targeted at developers of big data analytics, machine learning, and cognitive computing applications. Prior to his 5-year stint at IBM, Jim was an analyst at Forrester Research, Current Analysis, and the Burton Group. He is also a prolific blogger, a popular speaker, and a familiar face from his many appearances as an expert on theCUBE and at industry events.
Also, make sure to download our white paper on Why Data Quality Is Essential for AI and Machine Learning Success.
GDPR Vs. Data Localization Vs. Public Cloud
The old joke goes that “the cloud is just someone else’s computer.” But what if you don’t know where that computer is located? Organizations using or thinking of using the public cloud have a dilemma. How do they maximize the benefits of using the public cloud yet comply with GDPR and other global data protection laws that require data localization? How do they square the GDPR, data localization, and public cloud circle?
GDPR vs. data localization
Data localization laws restrict the storage of personal data to within the borders of a particular country or region. A frequent misunderstanding about GDPR is that personal data must remain within the EU. This is not the case.
Specifically, personal data can be moved outside the EU, but only if the jurisdiction in which the recipient is located provides an adequate level of data protection. However, outside the EU, multiple global data localization laws do exist, including laws in Canada, China, Australia, and Russia.
This means that multinational organizations operating in the EU and elsewhere may have to be simultaneously compliant to both GDPR and any data localization laws specific to the countries in which they do business.
Data localization vs. public cloud
The distributed nature of the public cloud is one of its key strengths, delivering lower latency, higher availability, improved resiliency, lower cost, and better performance. Data localization laws that restrict where data can be stored and where cloud services can be used can mitigate many of these benefits.
Strict data localization laws can restrict data protection in the public cloud. For example, if a particular region suffers a network outage or a DOS attack, it means that all data in that region could be lost, compromised, or its access restricted. In such scenarios, restricting the storage of business data to a specific country or region may inhibit disaster recovery efforts.
The challenge for organizations is to ensure they meet local data protection regulations where they exist, yet retain the flexibility to fully use their public cloud infrastructure in regions where strict data localization rules don’t apply.
Public cloud vs. GDPR
Public clouds deliver significant business benefits including scalability, elasticity, improved performance, and lower cost. However, when it comes to GDPR compliance, the public cloud lacks two key features: transparency and control.
A public cloud user will struggle to comply with GDPR if they don’t know where their data is being stored, moved to, or processed. In addition, an organization may be confident that some non-EU jurisdictions have adequate levels of data protection, but how do they ensure that their cloud data is stored and processed there rather than in more risky locations?
In order to support GDPR compliance in the public cloud, users need to know in near real time where their data is being stored, moved, and processed. They need to be able to configure and enforce rules that ensure that their business data is only moved to, processed, and stored in regions the European Commission has recognized as having adequate levels of data protection.
A flexible approach to data protection in the cloud
Attempting to comply with both GDPR and other global data localization laws by locking all of your cloud data within a specific region is a crude, inflexible solution that risks reducing many of the business benefits of moving to the public cloud. Instead, organizations need a more flexible approach to data protection.
Solutions are available that address the need for improved data transparency and control in the public cloud. By providing near-real-time visualization of where data is being stored, moved, and processed in the public cloud, organizations can easily understand if they are at risk of breaching GDPR and other data localization laws.
In addition, controls enable users to configure policies that can be used to enforce data protection and compliance simultaneously within the EU as well as elsewhere. If required, users can configure policies that go beyond local data protection requirements and rapidly adapt policies in response to changing global data protection legislation.
Learn more
Designed in partnership with public cloud providers, SAP Data Custodian can help organizations balance the requirements of data protection legal compliance with effective use of the public cloud.
This article originally appeared on the SAP Analytics blog and is republished by permission.
GDPR As Catalyst: Start With A Solid Process Baseline (Part 3)
Part 3 of the “GDPR as Catalyst” series
Whatever your business does, it has processes, whether you recognize them as such or not. Processes are simply the steps – formalized or informal – involved in accomplishing a business objective, whether that’s getting a report published, delivering a service, or shipping products to customers. In fact, the typical business has countless processes.
Enterprise business processes are designed to support operations. But it’s not always easy to understand how well these processes are really performing or where they need improvement. To identify process weaknesses and opportunities for optimization, business process owners need complete transparency into how processes are executed.
Visualize as-is processes
An “as-is” business process defines its current state. Typically, the analysis goal in putting together the current-state process is to clarify exactly how the business process works today, kinks and all.
Understanding variations in how processes are executed can help companies discover inefficiencies and process deviations or errors that bloat the process, increase cycle times, or impact operational costs. Process transparency can help identify compliance issues and can pinpoint manual process steps that would benefit from digitalization or automation. And it can highlight best practices that should be standardized across business units.
Holistic, end-to-end transparency into as-is processes helps stimulate data-based continuous process improvement.
Continually improve processes
Process optimization is the discipline of adjusting a process to optimize some specified set of parameters without violating some constraint. The most common goals are minimizing cost and maximizing throughput and/or efficiency. When optimizing a process, the goal is to maximize one or more of the process specifications, while keeping all others within their constraints. This can be done by using a process mining tool, discovering the critical activities and bottlenecks, and acting only on them.
Process mining technologies provide data-based process discovery, intuitive visual representations, and extensive drill-down capabilities. These technologies can deliver new levels of insight that enable organizations to explore and analyze business process performance and identify opportunities for greater process optimization.
Intelligent enterprises will build a business blueprint for optimized processes. They will understand how things work and where to remediate inefficient, cost-intensive, and noncompliant processes. The ability to analyze historical data and identify opportunities to increase process efficiency can form the basis for a powerful operational intelligence platform. And achieving process thinking across the business culture, while enabling operational and process excellence, is critical for every digital business.
At SAPPHIRE NOW, SAP Market Influencer Eric Kavanagh sat down with Bastian Nominacher, co-CEO of Celonis, to discuss the importance of understanding how and where data is flowing when undertaking a compliance project or a transformation initiative. Bastian’s recommendation: “You need to have a starting point for any transformation or compliance project. You need to have a solid baseline and a way of verifying where you stand, and then optimize based on this.”
Watch the interview with Celonis
To see the third of the 5-part discussion, watch the video.
How Remastering Data for GDPR Improves Customer Service
Editor’s note: This article on data bias written by Syncsort’s Harald Smith was originally published on Infoworld.
The recent Equifax breach left millions of consumers wondering not only if their personal data was at risk, but also what data Equifax had about them in the first place. In a world where commenting “And now for something completely different” on someone’s Facebook post triggers ads for Monty Python T-shirts, it’s natural that people want to know what your company knows about them, how you are using that data, and whom you are sharing it with.
Now that GDPR is here, if you’re doing business with anyone in Europe, you will have to respond to these questions in far greater volume and frequency. Are your employees prepared for this influx?
Business leaders worry about this because tracking requests, identifying data, and reporting the results back to consumers will be costly and challenging to organize. But rather than treating each request as an isolated compliance nuisance, try to see GDPR as an opportunity to reimagine how you interact with your customers and their digital identities. As GDPR and other data privacy initiatives expand, your ability to respond quickly and transparently to customer questions about their data will be a testament to how your organization values and treats its customers, and a factor in retaining customer loyalty.
The challenge of GDPR: It starts in the connections, lineage, and linkage
You collect customer data in myriad ways and that data proceeds through applications and systems, integration tools and other communications channels to end up in databases and other storage media. When customers ask what data you have about them, it’s hard to trace because it is in so many—frequently disjointed—locations. Most metadata systems, usually tied to ETL tools, only tell a fragment of the story, and can’t give you a complete picture of what happened to an individual’s specific data.
That said, the connections captured and represented as data lineage are an important component in tackling the challenge. Data lineage gives you a high-level map of routes through your data architecture, much as a map of eastern Massachusetts provides me with a view of how I can get from my home to my office. But just as that map will not show me how I got to the office today, your data lineage will not show you whether you received data about Jane Doe today and where it went.
To get insight into the specific individual, you need to create links or keys across those records. Where those links are already established (e.g., a customer number) and stored in known locations, queries can retrieve those sets of data. Where they are not known or not consistent, record linkage (or identity matching) techniques must be applied. If data is being added into existing systems where those data quality functions are available, that works fine. But usually those techniques are unavailable for database queries. Further, the distribution of saved reports and queried results (often in spreadsheets) containing an individual’s information is not typically captured or retained across your information landscape, leaving significant gaps in the customer view.
Taking master data and metadata to the next level
The answer lies in thinking more broadly about the master data tools you have through the lens of GDPR compliance. For years, organizations have focused on MDM systems as a central point for customer information, but typically in the context of how they synchronize customer data in specific business systems (i.e., a golden record) or facilitate insight into their buying behavior in downstream reporting systems. But why not think about leveraging your MDM system as a hub for systemic information about a customer? After all, the customer information is already there, these systems are modeled to provide reference information, and they usually have user interfaces for information stewardship.
Extending master data models to include systemic information on a customer means you can build a reference hub from which you can respond to customer data queries. As new customer information is collected and passed through varying information supply chains, the points of storage, the metadata trails, and other matching and linkage data can be collected and brought into such a customer hub as new content. With that data associated to individuals, your data stewards can: (1) Respond rapidly to customers’ queries; (2) identify in which systems and through what process flows the data has passed; (3) provide reports quickly to the customer; and (4) identify where systemic corrections or possibly removal need to be made.
Options and next steps
Currently, no tool does all the above. For many organizations, customer information files or possibly data catalogs may provide points of storage for collecting and consolidating this data. Where you have not previously gathered this systemic information, you can look at existing data catalogs, metadata repositories and data lineage to trace likely storage points and data trails to build our inventory of a given customer’s systemic data.
Wherever you decide to collect the information, though, you must ask how you can help your employees better service your customers. Thinking about GDPR from a customer service outlook, you will ask the right questions and approach solutions from the right place, allowing you to get creative with tools you may already have and reimagine customer interactions from a support perspective.
If you want to learn more about GDPR, be sure to read our eBook on Data Quality-Driven GDPR.
Catching Up with GDPR Compliance
The General Data Protection Regulation (GDPR) compliance deadline of May 25, 2018 has passed, but many organizations are still grappling with the data governance challenges it has created. Whether your organization conducts most, some or just a small amount of business in Europe, there are many aspects of data management you need to consider to comply with the regulation. Here’s some great sources of information from industry experts to help bring you up-to-speed.
The Deadline
In our expert interview series with Paige Bartley, Senior Analyst for Data and Enterprise Intelligence at Ovum, she explains that some organizations may not reach the May 25th deadline. These will likely be smaller organizations, often based outside of Europe, that have a minority of their customers or employees based in the EU. They will have to adhere to the guidelines listed such as the documentation of processes, the correction of false data, and the transfer and ownership of data just to name a few.
Data lineage, data quality, and data availability also are inherently linked to the GDPR and play a large part in compliance.
- Data Lineage is needed for the records of processing activities of personal data. This can account for how the data was handled, who handled it, and where it was handled.
- Good data quality will help in GDPR compliance initiatives because it means that data subjects will have less to correct incorrect data. Data quality is both a driver of compliance as well as a product of it.
- Data availability is cited directly in GDPR as part of Article 32’s requirement guidelines for the Security of Processing of personal data. High availability of systems, while not absolutely mandated, is highly encouraged for GDPR compliance.
Why the GDPR Matters Outside the EU
The GDPR applies not only to organizations that are based in Europe, but also to those that collect personal data from E.U. citizens who are located within the E.U., even if the company itself is not in the E.U. What this means in practice is that if you have, say, a website form that collects the personal information of visitors, and some of the people who fill it out are E.U. citizens who are located in the E.U. at the time that they fill out the form, that data could be subject to GDPR regulation. Similarly, if you partner with an organization that collects data from E.U. citizens, and some of that data is shared with you or otherwise comes under your ownership, the GDPR may also apply to the data.
Another reason why the GDPR matters outside of the E.U., and why it is a good idea to start planning for compliance now, is that the regulation may inspire similar frameworks in other jurisdictions in the future.
You can find more detail on those points here in our blog post.
Mainframe Compliance
If you have a mainframe, the GDPR data management requirements may apply to it, even if the mainframe is not inside the European Union. If your company has any kind of presence in Europe, you may need to bring your mainframe data management practices up to speed with the GDPR, along with those of the rest of your infrastructure.
In a post on GDPR Compliance for the Mainframe we gave some key areas that organizations should focus on when becoming GDPR compliant: data erasure, data sovereignty, timely data recovery, data pseudonymization, and data encryption. This isn’t a full list for GDPR Compliance but it’s a great place to start.
GDPR and Machine Learning
GDPR Compliance is also changing the way that organizations approach machine learning.
Katharine Jarmul, founder of KJamistan data science consultancy, stated that GDPR compliance changes a few of the ways that organizations have to inform users about automated of their data. Organizations will want to take note of their current notification process and make changes accordingly. What GDPR gives people is the motivation to get started on that.
15-Minute Recaps!
We’ve released a series of short webcasts in an effort to inform people of the importance in GDPR compliance. Check out these three great videos which focus primarily on Data Quality, Capacity Management, and IBM i Security.
If you want to learn more about GDPR compliance and how Syncsort can help, be sure to read our eBook on Data Quality-Driven GDPR.
What the GDPR Means for Small US Etailers
Large corporations are not the only businesses governed by the
European General Data Protection Regulation, or GDPR, which became effective last month.
Small and mid-sized businesses also are subject to its provisions.
The regulation applies to the processing of personal data of individuals in the EU by an individual, a company or an organization engaged in professional or commercial activities.
“The common misconception is that if you don’t have an office in the EU, then the GDPR doesn’t apply to you,” said Cindy Zhou, principal analyst at Constellation Research.
However, shipping products to the European Economic Area (EEA) or sourcing them from the region are activities governed by the GDPR, she told the E-Commerce Times.
“The online marketplace has no borders,” noted Wesley Young, VP for public affairs at the Local Search Association.
That may be changing, however.
“We have seen many small businesses … exclude EU subjects from their clientele to avoid exposure to GDPR risks,” observed Andrew Frank, distinguished analyst at Gartner.
“This could impact assumptions about the frictionless global nature of e-business,” he told the E-Commerce Times.
GDPR Pitfalls for Unwary SMBs
The GDPR’s definition of personal data is “very broad,” LSA’s Young told the E-Commerce Times. “That would include IP addresses, location information, demographic information, and other general data used for targeting ads.”
The term “process” also is broadly defined, “and includes collecting and storing data, even if it isn’t further used,” he observed.
“The breadth of the GDPR’s application lends itself to be easily but unintentionally violated,” Young noted. For example, not following through on policy changes — failing to abide by new privacy policies, or not training staff to adhere to them — might be a violation.
Using data beyond the reason for which it was collected might be a violation, suggested Young, as consent has to be given for specific purposes.
The Ins and Outs of Consent
The GDPR “allows six different legal bases for collecting or processing personal data, of which consent is but one,” said Robert Cattanach, partner at
Dorsey & Whitney.
For most e-commerce situations, the transaction arguably constitutes a contract, and “additional consent may not be required” to collect personal data necessary to conclude the transaction, he told the E-Commerce Times. However, the question of consent will arise when a merchant engages third-party vendors to track or monitor customer behavior on its website.
Monitoring or aggregating customer behavior on a merchant’s website to learn when a customer decides to place an order or abandon the search by using cookies is one option, Cattanach noted.
“The UK’s Information Commissioner’s Office has opined that implied consent may be sufficient for such site tracking,” he pointed out. Therefore, a pop-up banner stating continued use of the site means consent to the use of cookies might suffice — although some of the German data protection authorities might not agree.
For the collection of personal data, a pop-up requiring the customer to independently agree to it would be necessary.
Two major issues remain unresolved, according to Cattanach:
- What constitutes informed consent is still “a matter of ongoing dispute”; and
- Responses to data subject access requests — such as the right to discover what data has been collected, correct errors, and request to be forgotten — “are legally less problematic on their face but, as a practical matter, may be more difficult to execute.”
Requests to be forgotten require merchants to establish process flows for the intake of such requests; set policies for when such requests will be granted or denied; and implement pocedures for responding within 30 days.
That is “no small undertaking,” Cattanach remarked, “which is why many SMBs have just decided to avoid triggering GDPR by expunging all existing data of EU residents and blocking EU IP addresses from accessing their websites going forward.”
Records of processing were expected to be the most challenging of the data subject rights requirements by 48.5 percent of more than 1,300 U.S. business users and consumers who participated in an online survey
CompliancePoint conducted this spring.
Only 29 percent of respondents to the CompliancePoint survey were fully aware of the GDPR; 44 percent were somewhat aware and 26 percent were unaware.
Other data subject rights problems they anticipated:
- Accountability – 41 percent;
- Consent and data portability – 39.7 percent each; and
- Right to be forgotten – 35.3 percent.
GDPR Readiness
Twenty-four percent of business respondents to the CompliancePoint survey said their organizations were fully prepared for the GDPR, while 31 percent said they were somewhat prepared and 36 percent said their organizations were not prepared.
Following are some of the factors that kept the organizations of CompliancePoint respondents from being GDPR compliant:
- Waiting to see what enforcement would be applied – 45.6 percent
- Lack of understanding of the regulations – 39.7 percent;
- No budget for compliance – 36.8 percent;
- Low brand visibility – 33.8 percent; and
- Unconcerned – 27.9 percent.
“SMBs are not immune to the risk of GDPR,” said Greg Sparrow, general manager at CompliancePoint.
“The risk of fines and regulatory action are the same for businesses large and small,” he told the E-Commerce Times.
The financial penalties — 4 percent of annual revenue or 20 million euros — are large, noted Constellation’s Zhou.
However “the indirect costs in terms of impact on customer trust and brand reputation may be even greater,” said Gartner’s Frank.
CRM Software to the Rescue
CRM systems that make it relatively easy to execute functions like erasure and consent modification “can help considerably,” Frank suggested.
“SugarCRM recently released a data privacy module that automates much of the processes for managing the required data governance,” remarked Rebecca Wettemann, VP of research at Nucleus Research.
Zoho, Hubspot, Salesforce and other CRM vendors “are touting GDPR compliance,” Zhou noted.
“SMBs running cloud CRM applications will likely find the easiest path to compliance, because data privacy capabilities have been or are being built into these applications,” Wettemann told the E-Commerce Times.
That said, CRM companies are data processors by definition, Zhou pointed out, and under the guidance of the company that collected the customer data.
“Privacy policies, cookie notices and age consent forms all need to be managed by the SMBs themselves,” she said, “and are often placed on a website or on the e-commerce site which isn’t related to the CRM solution.”
Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.
What the GDPR Means for Small US Etailers
Large corporations are not the only businesses governed by the
European General Data Protection Regulation, or GDPR, which became effective last month.
Small and mid-sized businesses also are subject to its provisions.
The regulation applies to the processing of personal data of individuals in the EU by an individual, a company or an organization engaged in professional or commercial activities.
“The common misconception is that if you don’t have an office in the EU, then the GDPR doesn’t apply to you,” said Cindy Zhou, principal analyst at Constellation Research.
However, shipping products to the European Economic Area (EEA) or sourcing them from the region are activities governed by the GDPR, she told the E-Commerce Times.
“The online marketplace has no borders,” noted Wesley Young, VP for public affairs at the Local Search Association.
That may be changing, however.
“We have seen many small businesses … exclude EU subjects from their clientele to avoid exposure to GDPR risks,” observed Andrew Frank, distinguished analyst at Gartner.
“This could impact assumptions about the frictionless global nature of e-business,” he told the E-Commerce Times.
GDPR Pitfalls for Unwary SMBs
The GDPR’s definition of personal data is “very broad,” LSA’s Young told the E-Commerce Times. “That would include IP addresses, location information, demographic information, and other general data used for targeting ads.”
The term “process” also is broadly defined, “and includes collecting and storing data, even if it isn’t further used,” he observed.
“The breadth of the GDPR’s application lends itself to be easily but unintentionally violated,” Young noted. For example, not following through on policy changes — failing to abide by new privacy policies, or not training staff to adhere to them — might be a violation.
Using data beyond the reason for which it was collected might be a violation, suggested Young, as consent has to be given for specific purposes.
The Ins and Outs of Consent
The GDPR “allows six different legal bases for collecting or processing personal data, of which consent is but one,” said Robert Cattanach, partner at
Dorsey & Whitney.
For most e-commerce situations, the transaction arguably constitutes a contract, and “additional consent may not be required” to collect personal data necessary to conclude the transaction, he told the E-Commerce Times. However, the question of consent will arise when a merchant engages third-party vendors to track or monitor customer behavior on its website.
Monitoring or aggregating customer behavior on a merchant’s website to learn when a customer decides to place an order or abandon the search by using cookies is one option, Cattanach noted.
“The UK’s Information Commissioner’s Office has opined that implied consent may be sufficient for such site tracking,” he pointed out. Therefore, a pop-up banner stating continued use of the site means consent to the use of cookies might suffice — although some of the German data protection authorities might not agree.
For the collection of personal data, a pop-up requiring the customer to independently agree to it would be necessary.
Two major issues remain unresolved, according to Cattanach:
- What constitutes informed consent is still “a matter of ongoing dispute”; and
- Responses to data subject access requests — such as the right to discover what data has been collected, correct errors, and request to be forgotten — “are legally less problematic on their face but, as a practical matter, may be more difficult to execute.”
Requests to be forgotten require merchants to establish process flows for the intake of such requests; set policies for when such requests will be granted or denied; and implement pocedures for responding within 30 days.
That is “no small undertaking,” Cattanach remarked, “which is why many SMBs have just decided to avoid triggering GDPR by expunging all existing data of EU residents and blocking EU IP addresses from accessing their websites going forward.”
Records of processing were expected to be the most challenging of the data subject rights requirements by 48.5 percent of more than 1,300 U.S. business users and consumers who participated in an online survey
CompliancePoint conducted this spring.
Only 29 percent of respondents to the CompliancePoint survey were fully aware of the GDPR; 44 percent were somewhat aware and 26 percent were unaware.
Other data subject rights problems they anticipated:
- Accountability – 41 percent;
- Consent and data portability – 39.7 percent each; and
- Right to be forgotten – 35.3 percent.
GDPR Readiness
Twenty-four percent of business respondents to the CompliancePoint survey said their organizations were fully prepared for the GDPR, while 31 percent said they were somewhat prepared and 36 percent said their organizations were not prepared.
Following are some of the factors that kept the organizations of CompliancePoint respondents from being GDPR compliant:
- Waiting to see what enforcement would be applied – 45.6 percent
- Lack of understanding of the regulations – 39.7 percent;
- No budget for compliance – 36.8 percent;
- Low brand visibility – 33.8 percent; and
- Unconcerned – 27.9 percent.
“SMBs are not immune to the risk of GDPR,” said Greg Sparrow, general manager at CompliancePoint.
“The risk of fines and regulatory action are the same for businesses large and small,” he told the E-Commerce Times.
The financial penalties — 4 percent of annual revenue or 20 million euros — are large, noted Constellation’s Zhou.
However “the indirect costs in terms of impact on customer trust and brand reputation may be even greater,” said Gartner’s Frank.
CRM Software to the Rescue
CRM systems that make it relatively easy to execute functions like erasure and consent modification “can help considerably,” Frank suggested.
“SugarCRM recently released a data privacy module that automates much of the processes for managing the required data governance,” remarked Rebecca Wettemann, VP of research at Nucleus Research.
Zoho, Hubspot, Salesforce and other CRM vendors “are touting GDPR compliance,” Zhou noted.
“SMBs running cloud CRM applications will likely find the easiest path to compliance, because data privacy capabilities have been or are being built into these applications,” Wettemann told the E-Commerce Times.
That said, CRM companies are data processors by definition, Zhou pointed out, and under the guidance of the company that collected the customer data.
“Privacy policies, cookie notices and age consent forms all need to be managed by the SMBs themselves,” she said, “and are often placed on a website or on the e-commerce site which isn’t related to the CRM solution.”
Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.
GDPR For Dummies: An HR Perspective
Cookies (not the edible kind), privacy statements, privacy policies, opt-in, opt-out…chances are if you’re reading this online, you’ve already had to opt-into something today. Then there are the numerous unread emails from no-reply@abc.com clogging your inbox. The culprit? GDPR.
So what’s it all about—and why, as an HR professional, should you care?
What is it?
The General Data Protection Regulation (GDPR, or EU Regulation 2016/679) came into effect on May 25, 2018, and has been described as a landmark moment in data protection. More than three years in the making, the legislation governs the management of personal data, creating consistent data protection rules across the 28 European Union (EU) member states. The regulation has replaced the Directive 95/46/EC, which has been the basis of European data protection law since its introduction in 1995. The GDPR explicitly defines what it means by the term “personal data:” Any data that identifies or can be used to identify an individual. It also updates the definition of personal data to include technology advances such as IP address, location, and biometric data, for example.
What has driven it?
As noted by EY, the demise of Safe Harbor in 2015 and an increased number of high-profile data breaches in the media have caused concern amongst regulators and consumers as to how personal data was managed, and these were drivers for the regulation.
Why is it so revolutionary?
The regulation introduces new rights for individuals to control and protect their personal data, including:
The right to be forgotten – the right to ask data controllers to erase all personal data without undue delay in certain circumstances.
The right to portability – where individuals have provided personal data to a service provider, they can require the provider to “port” the data to another provider, providing this is technically feasible.
The right to object to profiling – the right not to be subject to a decision based solely on automated processing.
It also introduces a mandatory breach notification, which requires organizations to notify supervisory authority of data breaches without undue delay or within 72 hours, unless the breach is unlikely to pose a risk to individuals. If there is a risk, these individuals must be informed. Perhaps most importantly, there is the cost of non-compliance, which can be extraordinarily high – with fines as much as 4% of a business’ global revenue, or €20,000,000, whichever is higher.
Who does it apply to?
While it is European legislation and applies directly to companies operating from an establishment within the EU member states, it also applies to any location where processing is conducted. Therefore, it impacts any company that is a data processor or data controller of personal data based in the EU, as well as global companies that process personal data about individuals in the EU.
Who enforces it?
Supervisory authorities (SAs): Each member state of the EU will appoint an SA who will work with other member state SAs; the European Data Protection Board will coordinate the SAs. They can conduct audits, review certifications, issue warnings, order a processor or controller to comply with GDPR, impose limitations and even bans on processing, and impose administrative fines.
Now that you have the low-down, the first step is knowing if GDPR is applicable to your organization. If it is, your legal counsel has no doubt already made you well aware of this. As suggested in an earlier GDPR blog, the different activities involved to enable compliance with the GDPR and manage data privacy and protection must be brought together in a coherent and integrated set around the “four pillars” (privacy governance, data management, data security, and consent management), with solutions that deliver the capabilities needed to support each of them and so establish strong governance with best-of-breed technology.
In summary, GDPR is all about the protection of personal data. Because HR is all about personal data, your solution for storing personal data must be capable of supporting GDPR compliance as your first line of defense. EY also suggests that ‘Privacy by Design’ is a key consideration for GDPR readiness—that is, designing data protection into the development of business processes and new systems. Privacy by design and default is also critical to continued GDPR compliance.
For more insight into data security, see Establish Trust In The Digital Age.
Two Big Reasons Why the GDPR Matters Outside the European Union
If you think the GDPR — a European Union regulation that impacts data management — matters only for companies based in the E.U., think again. The GDPR is truly international in scope. Here’s why.
In case you’ve somehow missed it, the GDPR (that’s short for General Data Protection Regulation) is a regulation designed to protect the personal data of consumers in the European Union.
The GDPR’s requirements are far too lengthy to detail here. But suffice it to say that the regulation imposes significant new rules on the ways in which companies store, manage and transfer data associated with individuals. Going forward, companies will be responsible for making data management systems “private by design” and ensuring that consumers can permanently erase their personal data upon request.
For any company that works with data — which is to say, almost every company today — the GDPR is a big deal. Most existing data management tools and processes were not designed with the GDPR in mind, so businesses will have to assess the way they currently manage data and determine what they need to change in order to become GDPR-compliant.
That is true not just for companies in the European Union, but in many cases, across the world. Although the GDPR is a European Union regulation, its import is truly international. There are two main reasons why this is so.
The GDPR (Potentially) Applies to Any Company that Engages with E.U. Citizens
The first is that is that, according to article 3 of the GDPR, the regulation applies not only to organizations that are based in Europe, but also to those that collect personal data from E.U. citizens who are located within the E.U. — even if the company itself is not in the E.U.
What this means in practice is that if you have, say, a website form that collects the personal information of visitors, and some of the people who fill it out are E.U. citizens who are located in the E.U. at the time that they fill out the form, that data could be subject to GDPR regulation. Similarly, if you partner with an organization that collects data from E.U. citizens, and some of that data is shared with you or otherwise comes under your stewardship, the GDPR might well apply to the data.
There is some nuance to note here. Generally, your business would have to market deliberately to the E.U. citizens in question in order for the data to be subject to GDPR regulation. But there is a fair amount of gray area in defining what deliberate marketing means. And since the GDPR is so new, there is not yet much precedent that clarifies how this dimension of the regulation will be interpreted by courts.
Because of the legal ambiguity and the expansive nature of the regulation in this respect, it’s hard for any business that operates on a large geographic scale — or even just has a website — to avoid collecting data that is subject to the GDPR. You could try a strategy like blocking access to your website to E.U. IP addresses in order to avoid collecting GDPR-regulated data, but that approach is not likely to work well in practice.
A better, safer strategy is to operate as if all personal data that you collect is subject to the GDPR, and treat it accordingly.
The GDPR will Inspire Similar Regulations
The second reason why the GDPR matters outside of the E.U. — and why it is a good idea to start planning for compliance now — is that the regulation may inspire similar frameworks in other jurisdictions in the future.
This is especially true given the spate of recent high-profile blowups related to consumer data privacy in the United States. Revelations that Cambridge Analytica collected personal data about millions of Facebook users without their explicit consent, along with events like the Equifax data breach, have sparked intense scrutiny of the way digital data is managed. They have also spurred discussion in Congress of a “privacy bill of rights” for the United States, which could take its inspiration from the GDPR.
To date, no country has announced plans to implement its own version of the GDPR. But it is not unreasonable to imagine that the GDPR will serve as a model for data privacy regulations in other jurisdictions, which would more comprehensively impact businesses based in those regions. That’s another reason why now is a good time to start bringing your company’s data management practices up to speed with the GDPR.
Conclusion
In short, the GDPR is not just something that European Union companies have to worry about. It has a very real and direct impact on many businesses outside of the E.U., and its significance will likely only increase as other governments look to the GDPR to guide data privacy regulations of their own.
It’s worth noting, too, that there is value in adhering to the GDPR’s requirements even if you are not legally obliged to do so. In many ways, the GDPR encourages data management best practices, and those are never a bad thing. Plus, in an age when consumers are growing increasingly frustrated by what companies are doing with their personal data, making data privacy a priority within your data management strategy certainly can’t be bad for business.
If you want to learn more about GDPR compliance and how Syncsort can help, be sure to read our eBook on Data Quality-Driven GDPR.