Data is the lifeblood that powers modern businesses and today’s digital transformation. More data allows smarter analytics, which drives better products, which draws more users, which ultimately creates even more data. This concept is known as data network effects: the more user data companies have, the smarter its products and services become.
As such, businesses now face a powerful incentive to maximize data collection. In an ideal world, this effect would be a win-win scenario for both companies and individuals. However, recent history shows that the relentless pursuit of data without regard for users’ right to privacy can result in everything from data breaches to hidden software trackers.
In an effort to safeguard user privacy, the General Data Protection Regulation (GDPR) will go into effect on May 25, 2018, and will be directly binding law for all European Member States.
This legislation is meant to raise the level of personal data protection for European residents and to consolidate this legislation among EU member states. Consequently, companies will likely need to modernize their approach to data protection to comply with the new rules. The regulation is based on the premise that personal data ultimately belongs to the person and gives individuals greater control over how companies use their data, including legal rights to access and delete their personal data and requiring explicit consent to process their data if not already permitted by law.
However, most companies across all industries are not ready for the changes the GDPR will bring to the way business is done. Among UK corporations surveyed by PWC, only 8% have finished preparations, while 34% have just begun preparations and 5% have not started at all. It is vital that every company understands the coming impact of GDPR so they can properly prepare before the regulation goes into effect.
The following crucial information on GDPR will help you better understand its guiding principles, the cost of violation, important rules for every business to follow and how Liferay DXP complies with these new regulations. With the following knowledge, your company can take action and be prepared for the start of GDPR.
The Principle Behind GDPR
The 99 articles and 173 recitals of the GDPR are designed to curb potential personal data abuses. Recital 1 encapsulates the overarching reason behind all of the regulations:
“The protection of natural persons in relation to the processing of personal data is a fundamental right.”
While the protections that come from GDPR may require businesses to restructure their practices, this fundamental principle should be adopted by all businesses due to its focus on the rights of all people. Though it’s tempting to approach compliance with a simple checklist mentality, the question is not so black and white. The regulation is intentionally broad and its specific application will depend on the scale and sensitivity of the personal data each business processes. Businesses will need to take a risk-based approach in evaluating how to comply with the regulations.
No amount of money or effort can ever fully guarantee the safety of a company’s data, but every company should determine the appropriate investment needed to adequately protect its users’ data.
The Cost of GDPR
In the event of a company violating the rules of GDPR, the responsible supervisory authority in the EU Member State can fine data controllers up to 4% of the controller’s global annual revenue of the previous fiscal year or EUR 20 million, whichever is higher. The company can also be required to pay compensation for damages to individuals. Violations will be made public, which could incur even greater costs resulting from a loss of customer trust.
In addition, the PWC study found that among companies that have finished GDPR preparations, more than 88% spent over $1 million on their effort, and 40% spent over $10 million, according to their own estimations. The regulations that come with this new legislation mean that all aspects of a company must work together to prepare and ensure all their processes are compliant, leading to these costs.
The Practice of GDPR
The GDPR outlines regulations for a broad range of practices dealing with personal data, including special rules for processing children’s data, transferring data to other countries, automated decision-making, dealing with data breaches and more. Every company should assess how the GDPR applies to its particular use case. Below are some examples of broader rules that apply to most, if not all, businesses.
- Lawfulness, fairness, and transparency (article 5(1)(a)) requires businesses to be forthright and transparent about what personal data is being collected and why. Gone are the days of hiding behind pages of legalese in end-user license agreements to acquire consent to collect data. Businesses must make it abundantly clear exactly how and why they process a user’s personal data.
- Data minimization (article 5(1)(c)) is a principle that contrasts with some modern businesses’ adoption of a “data maximization” mindset. Businesses sometimes collect personal data without a clear purpose for how the data will be used. In this era of big data, AI and machine learning, the driving philosophy is to collect everything now, in case it proves useful later. Under the GDPR, businesses must only collect the minimum amount of data necessary to fulfill its intended purpose.
- Explicit consent (article 6(1)(a)) from the individual is legally required to process non-essential personal data. This will particularly affect marketers that want to collect information to target users with marketing material. In the words of the regulation, consent must be “freely given, specific, informed and unambiguous.” This means practices like selling email lists to third parties without user consent and pre-ticked checkboxes for email newsletters are no longer permitted.
- The right to erasure (article 17) empowers individuals with the right to request businesses erase all personal data from their systems, given the business is not legally required to keep the data (like bank records). Also known as the “right to be forgotten,” this requirement can be fulfilled through deletion or anonymization, but the bar for proper anonymization is high.
- The right to data portability (article 20) similarly gives individuals the right to request businesses export all personal data from their systems. This prevents vendor lock-in where individuals are unable to choose a competing service due to the magnitude and complexity of personal data with a particular business.
These are just a few regulations outlined in the GDPR. Businesses should not underestimate the scope of the GDPR and should conduct thorough assessments of both the regulation and its impact on their existing operations.
What Is Liferay DXP Doing for GDPR?
Compliance will look different for every business. A hospital’s patient records must be handled differently from employee intranet profiles. Liferay is committed to delivering flexible products that can be customized to support your company’s strategy for protecting your end users’ privacy.
Liferay Digital Experience Platform supports robust data protection and security capabilities to accelerate your journey toward GDPR compliance. This includes out-of-the-box user management features, powerful search for discovering data, flexible taxonomy for classifying data, a granular permissioning system and a highly customizable framework. Future capabilities will include the ability to directly manage data portability and data erasure/anonymization needs for users within Liferay systems.