The General Data Protection Regulation is the biggest data protection and handling reform in over 20 years, with implications for organizations across the European Union and the world. It reinforces the responsibilities and requirements placed on organizations who collect and hold data, establishes penalties for noncompliance, and formalizes the rights individuals (known as 'natural persons' under the regulation) have over the way personal data about them is gathered and stored.
As technology users, many people are increasingly wary of just how much personal data we provide to corporations, and the value of that data as a resource. Personal data can be analyzed to discover our online habits, our personalities, and the way we think. This can offer incredible insight into our likely patterns of behavior, in turn meaning companies can understand and even influence everything from our political views, to what we might buy, to the way we relate to certain issues or people.
Through regulation of when and how this personal data can be collected, and the purposes for which it can be used, the GDPR aims to limit the power organizations have over their customers' personal data, enhance data privacy throughout the EU, and ensure every organization in the EU understands their data protection obligations, both internal (such as training and appointing a suitable Data Protection Officer, or DPO) and external (knowing who their relevant supervisory authority is, in case they need to submit notification of a data breach). Combined, these new regulations may even help prevent whatever the next Cambridge Analytica scandal turns out to be.
Data protection requirements
The GDPR states that EU citizens—also known as 'data subjects'—must:
- Give explicit consent to the processing of their personal data
- Have easy access to their personal data
- Be able to easily access information about the processing of their data
In addition, each data subject has the right to:
- Request the erasure of all data belonging to them
- Object to the use of their personal data for the purposes of ‘profiling’
- Move their data easily between organizations or service providers ('data portability')
Ensuring your organizational policies and procedures align with these requirements, and that you comply fully with the provisions of the GDPR, is an important responsibility, especially given the hefty fines possible if you don't comply! For some organizations, the GDPR will mean changes to “the way things have always been done,” with all the potential disruption this entails. Fortunately, Signavio can help.
Signavio is your GDPR one-stop shop
A software platform like Signavio can guide users with limited GDPR knowledge to map personal data items against business processes and operations, helping document GDPR risk and controls, reducing the risk of human error, and helping ensure your organization's data processing activities are compliant with the new data protection laws.
Signavio's Guide to GDPR Compliance is a handy GDPR overview, and will help you prepare for the changes ahead, including the steps you can take now to ensure your business is best-placed to thrive under the new data protection requirements.
In addition, over the coming weeks, Signavio’s Countdown to GDPR blog series will highlight the 6 biggest changes in the GDPR you should know about, detail what you need to do in the event of a data breach, and consider the impact Brexit might have on the GDPR. This includes whether updates in EU data protection laws still apply to UK businesses.
Looking beyond the General Data Protection Regulation
Of course, for many organizations, 25 May 2018 is just a day like any other. These organizations have implemented data protection by design and default—they already have robust data protection measures and a data breach response in place, their customer communication is up-to-date, and their DPOs are ready to leap into action at a moment’s notice. For these organizations, Signavio will also examine how Business Process Management can help organizations look past the GDPR, and plan for the future.
Any business looking to increase efficiency, reduce expenditure, and more effectively manage risk can take advantage of the power of Process Modeling and Process Mining. Many companies are looking to technology to ease the burden of compliance and provide wider operational benefits, but few have taken the next step and established strategies for ensuring compliance into the future.
To help get you moving on the right path to success, Signavio is hosting Beyond the Deadline: Sustainable GDPR Compliance, an event for anyone thinking about what their organization’s compliance framework will look like on May 26, or in June, or December, or 18 months from now. In other words, how to embed a forward-looking and systematic compliance culture into your business.
Beyond the Deadline takes place on Friday 11 May, at the Shangri-La Hotel At The Shard, in London. For more information, and to register your attendance, visit the Signavio event page.
Risk and compliance resources
In addition to our Guide to GDPR Compliance, the Signavio 7 Step Guide to Risk and Compliance covers the steps your business needs to take in order to ensure you meet your regulatory requirements. To investigate the broader issues around risk and compliance in a modern business, try Signavio’s white paper, Modern Compliance Management in Times of Constant Change. If you’ve got this risk thing under control, and want to understand more about how Signavio can help improve your business processes, why not sign up for a free 30-day trial with Signavio today.