The EU’s General Data Protection Regulation (GDPR) is definitely a game changer – but perhaps not in the way you think.
A great deal has already been written about the stringent obligations – and hefty fines – it places on organizations managing the personal data of EU citizens. Much less has been made of its other stated aim: To facilitate the exchange of information for businesses that operate in the EU. But the GDPR is not limited to only EU companies, so… how best to capture the opportunity within GDPR implementation?
An opportunity? Really?!!
It’s easy to focus on the amount of change – at an organizational, technical and process level – that every company will need to undertake to get ready for the May 2018 deadline. But, that is to overlook the bigger picture. GDPR is explicitly designed to harmonize data security and privacy laws across Europe. This is, by far, the most far-reaching legislation of its type ever attempted. It represents a single data protection approach for 28 trading countries and, indeed, beyond.
As all companies that hold personal data on EU citizens must comply – and let’s face it, today that’s pretty much everyone – the success of GDPR is very likely to make it a global standard by default.
To date, organizations have not addressed their data protection and privacy risks in a consistent way. GDPR now makes this essential. The opportunity arises when you see this as more than simply a compliance issue. As PA Consulting suggests, companies “can take a more business- and customer-centric approach that will allow them to explore how they can manage personal data to help make more informed decisions and create a better experience for their customers”.
There are really two core elements to the obligations of B2B companies under the GDPR. The first is to store and manage personal data in a way that it’s always quickly accessible for the data subject and is removable if required. For B2B organizations, you must remember that, for the GDPR, personal data means data about individuals, including your customers, suppliers and service providers. It also covers how and why you exchange personal data within your supply chain or trading partner network.
Secondly, personal data must be defended and secure at all times – in transit or while at rest. The International Association of Privacy Professionals recommends some of the security actions to undertake include:
- The pseudonymization and encryption of personal data
- The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
A focus on technical infrastructure
It’s clear that the correct technical infrastructure has a key role to play when implementing the GDPR. Organizations will really struggle if they continue to hold silos of information. Instead, they must have a clear end-to-end view of all the personal data they hold. This is both structured and unstructured data – everything from emails and social media behaviors to contracts or service documentation.
This does require a significant change in thinking. Organizations will need to introduce Privacy-by-Design and Data Protection-by-Design as core foundations of their infrastructure. These strategies have been at the heart of solution development at OpenText for years.
The OpenText™ Business Network portfolio of solutions – including OpenText™ Trading Grid Messaging Service, OpenText™ Active Applications, OpenText™ Managed Services, and OpenText™ Fax Solutions – include the highest security standards, encryption and best practices. These solutions enable the processing and exchange of information with comprehensive encryption to mitigate risks associated with the processing of sensitive data. Rigorously auditing, testing and enforcing compliance with security regulations such as the GDPR across extended and sophisticated supply chains is a fundamental part of OpenText operations.
For example, the OpenText™ Cloud Fax network is an environment made up of connectivity protocols that keep customers aligned with the most pertinent regulatory and compliance mandates. With options including secure web connections via TLS and HTTPS or VPN connections, organizations remain securely connected to the OpenText Cloud and privacy is maintained. With encryption at rest and in transit, content is securely protected where it rests or on the move.
Keep calm. Carry on.
The good news is that GDPR is not meant to cripple you as a business – quite the opposite. But, it does demand a much more proactive and consistent approach to data protection. For B2B organizations, that really doesn’t have to be a threat. Almost every organization has Digital Transformation at the heart of its business strategy. Almost every organization is looking for ways to optimize the value of the data it holds. In this context, GDPR can be seen as a legal framework to make this happen. Now, there’s an opportunity!