GDPR Requirements That Every Business Must Know

A deep understanding of GDPR requirements is crucial for any organization doing business with EU citizens, regardless of where the company is based.

On May 25, 2018 GDPR (General Data Protection Regulation) went into effect. The primary objectives of the GDPR are to give control back to their EU citizens and residents over their personal data, to simplify the regulatory environment for international business, and to unify regulations within the European Union.

Personal data includes a wide range of personal identifiers, from addresses and public information, to social profiles, images, IP information, device IDs, and medical and financial details.

Consumer personal data collected within your company is often distributed to multiple systems and organizations, resulting in duplication. Your organization may be considering master data management (MDM) solutions to address various data management needs including compliance challenges.

Legacy MDM systems may comply with a small part of the regulation by managing profile data, but they also leave it to you to figure out how to manage the transaction and interaction information distributed across systems and channels.

GDPR Requirements: Understanding the Data Privacy Law

Complying with GDPR should be part of your day-to-day operations. One philosophy is that a Modern Data Management platform should organically support the key elements of GDPR by managing your customer’s profile information, lineage, and succession through your day-to-day data management activities.

  1. RIGHT TO BE FORGOTTEN – GDPR guidelines require your organization to support your customer’s Right to be Forgotten and purge their records upon request. Your business will also need to support your customer’s request for a copy of their information in a portable format. Any GDPR solution needs to guarantee purging of all traces by customer entity type in support of data erasure, including the removal of any attributes and historical transactions made by individuals captured as part of their digital activities, which is outside of the scope of traditional legacy MDM tools.
  2. CONSENT MANAGEMENT – Your company must also support a provision to produce any proof of consent provided by your customer on request, and a way for customers to withdraw the consent. Explicit consent is required before information is collected, and adult consent is mandatory when the collection of data involves children below the age of 16 years. Any solution that supports the management and maintenance of rights and consents must have the ability to capture and store consent types. Graph technology provides a great way to store relationships so you can easily capture and prove that an adult provided consent regarding the collection of information for a minor.
  3. AUDIT & LINEAGE – The new GDPR legal framework requires your company to support the ability to demonstrate the deletion of your customer’s private information. built-in audit and data lineage to support accountability for your business to demonstrate compliance. Attributes must also traceable back through lineage to the internal and external data providers they came from. In the case of a change request, the request can be routed back to its original source.

While there are many tools being offered to meet GDPR requirements and other regulatory requirements, companies should use a Modern Data Management platform that supports both offensive (e.g. improve operational efficiencies, deliver better customer experiences) data strategies, and defensive (e.g. maintain compliance, reduce costs) data strategies built-in.

Facebook has stopped short of promising GDPR level data compliance for US users. If you are a US company, even if you have no EU data, you should consider implementing a Modern Data Management platform that gives you GDPR-ready capabilities. Imagine the branding and goodwill you’ll get with your customers when they realize that you are taking measures above and beyond (exceeding that of Facebook) to respect their privacy and data.

Finally, it won’t take long for the US and rest of the world to catch up, the State of California recent enacted The California State Assembly’s passage today of the California Consumer Privacy Act (CCPA) which has many elements of GDPR.

My article listed three very basic GDPR requirements, but there are certainly many many more. Regardless of the solution or tool you put in place today, know that many more regulations are coming. A Modern Data Management platform does the heavy lifting for you today, and protects you into the future, allowing you to focus on your business.