Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.

Five reasons why the EU’s new data protection regulation will impact companies worldwide

By Sven Dummer | Posted on November 07, 2017

Five reasons why the EU’s new data protection regulation may impact companies worldwide

It may be hard to believe, but many companies have had it pretty easy when it comes to data compliance. Despite the prevalence of regulations  such as the Health Insurance Portability and Accountability Act (HIPAA) and industry standards like the Payment Card Industry Data Security Standard (PCI DSS), global businesses have had a fair amount guidance on collecting, storing and managing user information.  And new pending regulation, General Data Protection Regulations (GDPR), is raising the bar again.

When GDPR launches in May 2018, it will tighten  numerous compliance ambiguities These ambiguities allowed companies outside the EU to more or less ignore European privacy regulations in the past and that GDPR does away with.

1. Not being EU-based is no longer an excuse

The biggest mistake a company can make with GDPR is assuming that it only affects companies located in the European Union. GDPR doesn't stop at country borders, however. All businesses that access and store information belonging to European residents must adhere to GDPR guidelines. That means companies based out of the United States or elsewhere are just as liable here as EU organizations, assuming they sell to a European audience and collect personal data on individuals residing in the EU. The GDPR protects anybody residing in the EU, regardless of citizenship.

2. That goes for your servers too

Some business leaders may think they can work around these new compliance regulations by moving servers that touch and house affected consumer data outside of the EU. It doesn't matter where your databases are located, where login and registration forms are hosted or where customer information is processed. If that data pertains to EU residents, you must adhere to every aspect of GDPR and its very strict privacy protection rules.

3. Third-party data processors won't protect you

There may have once been a time when working with a third-party data processor put some distance between your company and your customers' data - and absolved you of any responsibility in the event of a breach or mismanagement of that information - ot so under the new law. Handing off data processing duties to an external party is no excuse for poor data management practices, and officials will hold your business accountable for any GDPR violations committed by your business partner. Under these new regulations, the data controller - i.e., your company - will be liable for the data processor's negligence and misdeeds. It's not just your own internal policies you need to worry about, but your business partners' workflows as well. This puts more pressure on organizations to only work with vendors that adhere to compliance and security best practices.

For our part, Janrain has been at the forefront of GDPR awareness and readiness. Our teams have been working studiously to dot every "i" and cross every "t" ensuring our company - and by extension, our customers - are prepared to comply with GDPR once it launches.

4. Umbrella consent is out the window

One of the most notable changes is GDPR’s requirement to gather explicit consent from users before collecting, storing and processing their personal data. Today, many organizations use vague user consent forms to collect a wide range of personal information. Under GDPR, companies need to outline precisely what data they are asking a customer to share as well as how that information will be used. In addition to this new level of transparency, customers need to be able to review, change or revoke their approvals at any time.

Businesses will need to be much more surgical with their data collection methods, revamp their consent forms to reflect these new requirements and completely overhaul their fine print to adhere to GDPR guidelines to clearly spell out to users exactly what they're agreeing to when they hand over their data.

5. Account deactivation is not the same as deletion

Many companies today don’t allow registered users to delete their accounts and only offer account deactivation. This allows them to continue leveraging user data even after an account has been deactivated because the existing customer data remains on organizations' servers.

Under GDPR, businesses will be expected to not only comply with account deactivation requests, but to offer complete account deletion. This "right to be forgotten" guideline will require organizations to completely scrub their systems and eliminate any trace of a customer. That could be a tall order for businesses with complex networks, distributed CRMs and marketing automation systems with databases spread out across various environments, departments, and regions. They will need to find a way to centralize this data or find an efficient means to locate it wherever it may reside and remove it.

With GDPR, EU's leaders are making it clear that lackadaisical data privacy, security and management practices will no longer be tolerated. Any organization that wants to continue doing business in this market need to diligently prepare their workflows, processes and systems to fully comply with these regulations.

For assistance going down the home stretch, be sure to reach out to Janrain and have a look at our GDPR information resources. Our unparalleled expertise may just be what you need to meet the GDPR deadline.

Popular Posts

About the author

Sven Dummer

Sven Dummer

Director of Product Marketing

Sven Dummer leads product marketing at Janrain, helping companies to build better online experiences for their customers through cloud-based Customer Identity and Access Management (CIAM). Previously, Sven worked with Silicon Valley startups as well as Fortune500 companies, including Yahoo, Wind River (acquired by Intel), SUSE and Microsoft in product development, product marketing and management roles. At Intel, Sven also helped launch (and named) the collaborative Yocto Project, an open-source initiative that enables users to create custom Linux-based systems for IoT devices regardless of the hardware architecture. Sven is based in the San Francisco Bay Area.

View all posts by Sven Dummer