In May 2016, a new EU Regulation and Directive was released to govern the protection of personal data, the General Data Protection Regulation (GDPR). It will enter into force after a two year grace period in May 2018. This is just little more than one year to go and enterprises need to get active to evaluate what it means for them and how they need to prepare.
As stated on the European Commission website: “The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business.”
Data protection laws are nothing new in the European Union. However, the new GDPR rules presents some significant impacts and changes to current data privacy regulations. For one, what used to be a directive, is now a regulation with full force of the law, valid across all EU countries. And despite BREXIT, the UK government has confirmed that UK will implement GDPR (read the UK Information Commissioner’s blog on this topic).
The other important aspect is that GDPR now imposes substantial fines upon individuals and enterprises that do not adhere to the law. Minor breaches will be fined up to 10 Million EURO, or up to 2% of the total worldwide annual turnover of the preceding financial year for a business, whichever is higher. Major breaches will be fined up to 20 Million EURO, or up to 4% of the total worldwide annual turnover of the preceding financial year for a business, whichever is higher. And it should be re-emphasized that the turnover is not just the turnover of the EU located part of the enterprise, but the worldwide turnover of the enterprise.
Protecting Personal Data of EU Citizens – What does that mean?
As GDPR protects the personal data of the citizens of the European Union, it imposes duties upon enterprises, that collect and manage personal data. These entities are called “Data Processors”. Data processing entities located in the EU are subject to GDPR, but also companies outside the EU that process personal data of EU citizens. So the regulation also applies to non-EU enterprises: EU GDPR requires compliance outside of the EU as well (EU GDPR applies for non-EU companies with contact points to the EU).
Collecting and processing data is legitimate as long as it serves a justified purpose, as defined by GDPR, for example “if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation …”
Such justified purposes for storing and retaining personal data are, for example, laws that govern retention of content, such as tax relevant data and documents, where retaining the scanned vendor invoice or a customer bill is not only justified but an obligation.
What is the relevance of GDPR for Day-to-Day Business Processes?
There is personal data processed and stored during the course of day-to-day business processes that relates to business partners, such as customers and suppliers, in the procure-to-pay processes as well as order-to-cash process. To give some concrete examples, let’s now take a look at an enterprise that uses SAP ERP to manage their processes and OpenText to attach business documents to these processes.
It is of course not just about the data created and stored in the SAP database of the leading enterprise application (ERP, CRM, …), it is also about the business documents that are captured during this process. Take for example, an incoming vendor invoice on paper, which is scanned, attached to the transaction via ArchiveLink and then securely stored on the OpenText™ Archive Center. Or in the example of an order-to-cash process it an incoming sales order and delivery note to a client, which are linked to the SAP order and stored in OpenText.
May 2018, GDPR will start to apply following a two-year transition period to allow the public and private sector get ready for the new rules.
So how should enterprise prepare and get ready for GDPR?
With regards to aspects of storing personal data for a justified purpose, enterprises need to set up policies and procedures – not only to retain content as long as they are obliged to do by law such as taxation or product liability laws, but also to delete content in a timely fashion when it is no longer needed respectively the justified purpose for retention has expired.
Learn more about OpenText’s capabilities to support GDPR requirement in the SAP environment in a forthcoming blog post, and also by reading our other blog entries here and here. You can also visit our web site and learn how OpenText EIM offers capabilities that can support customers to prepare for GDPR or listen to our webinar.