International implications of the EU General Data Protection Regulation (GDPR)

Wait, remind me again – what is GDPR ?

First, let’s clarify what the GDPR entails. The regulation was created and enacted by the European Union to define a set of rights for EU citizens, as well as a set of requirements for EU organizations regarding collection and protection of personal data. Nevertheless, it is worth knowing that while this regulation is EU-specific, it also affects any organization that want to conduct business within the Union – any company that plans on collecting personal information about an EU citizen must comply with this regulation and ensure that citizens are granted the required level of control over the collected personal information.

The GDPR regulation states that EU citizens have several rights regarding their personal data:

1. The right to breach notification.
Organizations must alert citizens or customers within 72 hours in case of a data leak that potentially involves their personal information.
2. The right to access.
Upon request, any government or business organization must be prepared to provide a copy of all known personal information held by that organization, as well as the purpose behind the collection of said information.

3. The right to be forgotten.
Any EU citizen can request erasure of all collected personal data and organizations must comply if there are no further implications.

4. The right to data portability.
Any personal information must be shared in a format that is easily understood and easily consumed.

5. Privacy by design.
Organizations that plan to collect personal information will need to invest in robust security and record keeping practices.

How will GDPR affect business and government groups operating on EU territory?

This regulation will bring about huge changes in regards to how organizations collect and treat personal data. From May 2018, organizations not only have to justify why they are collecting information such as date of birth, gender or e-mail address, but also must comply with any individual request to destroy that information. GDPR poses a distinct challenge for organizations that may not have the systems in place to handle these personal data requests or the appropriate technology to manage not only the proper order and protection of the these items, but the ability to efficiently search, dispose and/or export the content for the data subjects.

For groups that do not comply, GDPR sanctions are severe from warnings and being subject to regular audits, to fines that can go up to tens of millions of dollars.

The records management and data protection implications of GDPR ?

One of the expected outcomes of the GDPR regulation is that organizations will have to tune their existing information governance and records management practices. Since organizations will be have to be able to provide personal data to EU citizens upon request, they must have very strong control of that data, including proper classification, organization, metadata availability and exportability. These requirements require a robust data management system, which is an investment that all organizations should be making regardless.

In light of the imposition of much more onerous fines imposed by the new regulations, having a well-defined and clearly articulated records management and information security policies, procedures and systems is essential. The ability to classify information consistently, including personally identifiable and sensitive information, and manage the access permissions associated with them will mitigate risk in the event of common security breaches such as user account hijacking.

For further information on how to secure and protect your sensitive information within OpenText Content Suite, reach out to us today.