By Sven Dummer | Posted on November 07, 2017
It may be hard to believe, but many companies have had it pretty easy when it comes to data compliance. Despite the prevalence of regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and industry standards like the Payment Card Industry Data Security Standard (PCI DSS), global businesses have had a fair amount guidance on collecting, storing and managing user information. And new pending regulation, General Data Protection Regulations (GDPR), is raising the bar again.
When GDPR launches in May 2018, it will tighten numerous compliance ambiguities These ambiguities allowed companies outside the EU to more or less ignore European privacy regulations in the past and that GDPR does away with.
The biggest mistake a company can make with GDPR is assuming that it only affects companies located in the European Union. GDPR doesn't stop at country borders, however. All businesses that access and store information belonging to European residents must adhere to GDPR guidelines. That means companies based out of the United States or elsewhere are just as liable here as EU organizations, assuming they sell to a European audience and collect personal data on individuals residing in the EU. The GDPR protects anybody residing in the EU, regardless of citizenship.
Some business leaders may think they can work around these new compliance regulations by moving servers that touch and house affected consumer data outside of the EU. It doesn't matter where your databases are located, where login and registration forms are hosted or where customer information is processed. If that data pertains to EU residents, you must adhere to every aspect of GDPR and its very strict privacy protection rules.
There may have once been a time when working with a third-party data processor put some distance between your company and your customers' data - and absolved you of any responsibility in the event of a breach or mismanagement of that information - ot so under the new law. Handing off data processing duties to an external party is no excuse for poor data management practices, and officials will hold your business accountable for any GDPR violations committed by your business partner. Under these new regulations, the data controller - i.e., your company - will be liable for the data processor's negligence and misdeeds. It's not just your own internal policies you need to worry about, but your business partners' workflows as well. This puts more pressure on organizations to only work with vendors that adhere to compliance and security best practices.
For our part, Janrain has been at the forefront of GDPR awareness and readiness. Our teams have been working studiously to dot every "i" and cross every "t" ensuring our company - and by extension, our customers - are prepared to comply with GDPR once it launches.
One of the most notable changes is GDPR’s requirement to gather explicit consent from users before collecting, storing and processing their personal data. Today, many organizations use vague user consent forms to collect a wide range of personal information. Under GDPR, companies need to outline precisely what data they are asking a customer to share as well as how that information will be used. In addition to this new level of transparency, customers need to be able to review, change or revoke their approvals at any time.
Businesses will need to be much more surgical with their data collection methods, revamp their consent forms to reflect these new requirements and completely overhaul their fine print to adhere to GDPR guidelines to clearly spell out to users exactly what they're agreeing to when they hand over their data.
Many companies today don’t allow registered users to delete their accounts and only offer account deactivation. This allows them to continue leveraging user data even after an account has been deactivated because the existing customer data remains on organizations' servers.
Under GDPR, businesses will be expected to not only comply with account deactivation requests, but to offer complete account deletion. This "right to be forgotten" guideline will require organizations to completely scrub their systems and eliminate any trace of a customer. That could be a tall order for businesses with complex networks, distributed CRMs and marketing automation systems with databases spread out across various environments, departments, and regions. They will need to find a way to centralize this data or find an efficient means to locate it wherever it may reside and remove it.
With GDPR, EU's leaders are making it clear that lackadaisical data privacy, security and management practices will no longer be tolerated. Any organization that wants to continue doing business in this market need to diligently prepare their workflows, processes and systems to fully comply with these regulations.
For assistance going down the home stretch, be sure to reach out to Janrain and have a look at our GDPR information resources. Our unparalleled expertise may just be what you need to meet the GDPR deadline.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…