The clock is ticking on the May 25, 2018, enforcement deadline for the EU General Data Protection Regulation (GDPR), and your customers may be looking for help to comply.
GDPR Changes Data Collection in EU
The General Data Protection Regulation’s goal is to protect EU citizens from data breaches by coordinating data privacy laws throughout Europe and adapting how businesses and organizations manage data privacy. The rule applies to all companies processing or controlling EU residents’ data—whether the company is in the EU or anywhere else in the world. Examples of the types of data that are regulated include names, addresses, photos, payment data, social network posts, medical information, and computer IP addresses.
Notice that the law applies to both “processors” and “controllers” of data. A retailer, for example, would be a data controller that collects data when a person shops on their website or makes payment, and a cloud provider would be a processor that stores the data. Companies that process or store large amounts of data must appoint a data protection officer (DPO) to oversee proper management of data and compliance with GDPR.
EU Residents Get Control of Data Collection and Use
The regulation also requires changes to how an EU resident gives consent to a company to collect or use their data. Each company must create easily understandable consent forms—they can no longer have a page of legalese tucked in a hard-to-find section of their website. It also has to be distinguishable from other activities (such as making a purchase or requesting a subscription). The company must also make it just as easy to withdraw consent as it is to give it. The regulation requires that businesses or organizations must provide information to an EU resident upon request regarding what data is collected and for what purpose. It also gives them the right to “Data Erasure,” so they can request that all data that pertains to them be erased by the controller.
Organizations guilty of the most severe types of noncompliance with the General Data Protection Regulation, such as not having customer consent, can be fined up to 4% of their annual revenue or €20 Million (approximately $24.6 Million USD), whichever is greater. Lesser charges, such as improper recordkeeping, not making notification of a breach, or not conducting an impact assessment, can result in fines of 2%.
What ISVs Need to Do
If the General Data Protection Regulation applies to business you conduct in the EU, you need to seek legal counsel and create a plan for compliance.
But ISVs also need to know the GDPR is creating opportunities for your business. For example, the regulation includes “Privacy by Design,” which requires data protection to be included with a system’s design, rather than something that is added later. GDPR may be the impetus for companies to migrate their systems to your security-built-right-in platform.
Your customers will also be looking for assistance with solutions that help them track and report consent, respond to EU resident requests for how their data is used or for data erasure, and other rights they have under GDPR. With the deadline fast approaching, you need to talk to your clients now about GDPR and what your ISV company has to offer that can help them comply.