GDPR is big. Not only because of the potential high fines for non-compliance but also because of the broad-reaching scope it has.
The General Data Protection Regulation (GDPR) (EU Regulation 2016/679), effective May 25, 2018, gives individuals control and protection of their personal data. The GDPR focuses on regulating its use as it relates to the personal data of individual persons, and ensuring it can be protected.
In the context of globalized business, the GDPR is broad in its applicability and now impacts a variety of organizations who were not necessarily affected by prior directives. So, whether your company processes data within the EU or not—or whether you use a third party to do it for you-you will likely be subject to GDPR requirements if you process or hold personal data of EU residents.
Whom must comply:
- Organizations that offer goods or services to, or monitor the behaviour of, EU data subjects and those that process or hold the personal data of EU residents
- Applies to: Natural persons, whatever their nationality or place of residence in the EU, in relation to the processing of their personal data
- Penalties can be up to 4% of annual global revenue or €20 million whichever is greater
GDPR at a Glance
- It is about protecting the personal data of EU citizens (bottom layer); data that can sometimes be de-personalized (or pseudonymized)
- Businesses/organizations want to use that data (controllers and processors (the 3rd parties they contract with, often service bureaus)) (top layer)
- But those businesses need to have a lawful purpose (lawful processing layer) for each processing activity
- And GDPR gives individuals the rights to see that their data is being processed lawfully (individual rights layer)
- But not only that, GDPR places more emphasis than previous regulations that companies must demonstrate accountability on an ongoing basis (accountability layer) … ~60% of GDPR is about this
- Then about demonstrating compliance as a part of accountability with some related certifications (demonstrate compliance box/layer) … yet there is no single GDPR certification mechanism
- Of course, part of this all is protecting against data breaches—and if a data breach happens, notifying the right people quickly (breach notification layer)
- And if it all goes wrong, then you are at risk of fines, the most significant of which often relate to data breaches… maximum of 4% annual revenue or €20M … whichever is the greater.
Does it apply to you?
The GDPR applies to all companies which work with personal data. Personal data is all data from persons who are identified (by name) or can be identified (by customerID). Even more, the GDPR determines that online identifiers (IP-addresses) are also personal data.
How to become GDPR Compliant?
The next list gives you some examples to be compliant but is a not restrictive list.
- Awareness: Make sure all your employees know about GDPR and what the implications are.
- Register your processing activities: Describe which data you process, why you do that, where you save it, with whom you share it …
- Privacy Statement: Check if your privacy statement is still up-to-date, clear and understandable. It needs to inform the user also about the legal basis for the data processing, the time you save the data and if the data will be shared outside Europe.
- Rights from the drawee: The person whose data you gather, has the following rights:
- He can ask for access to his data. You need to provide this data within 30 days.
- He can ask to correct or delete his data
- He can ask to restrict the data processing
- He can resist using his data for direct marketing
- Permission: If giving permission is the legal basis to process someone’s data, check how you ask for this permission. Be aware that if you ask permission to persons younger than 16 years, you’ll need the permission of one of the parents.
How does SuccessFactors help to be GDPR Compliant?
SuccessFactors is currently improving their system to help you to be compliant with GDPR.
To give some examples, in the 2017Q3 release they came up with:
- They made it easier to permanently delete the personal information of your users.
- When administrators add custom columns for user and instructor records, the system now warns administrators to avoid custom columns for sensitive personal information.
- Before Q3 2017, when you attempted to add a user ID that was the same as a deleted user ID (found in the audit tables), the system gave you the opportunity to reinstate the user from the history tables. Now, this is no longer an option. Instead, when you attempt to create a user with the same ID as a deleted user with an audit history, SAP SuccessFactors Learning blocks its creation.