skip to main content

GDPR: Not just a compliance exercise

Compliance begins with Enterprise Information Management.

GDPR cover image. Full name, age, gender, telephone number, tax info, address, citizenship, birth date, education, travel document, national identity numbers, criminal record.

  • Overview
  • GDPR & EIM
  • RESOURCES

What is the GDPR?

The GDPR is the new European Union data privacy legislation to modernize and reform the laws that address the handling of personal data of European Union residents. It represents the biggest overhaul of the world’s privacy rules in more than 20 years.

Highlights

  • The GDPR applies to all 28 EU member states and has the full force of the law.
  • It applies to EU citizens’ personal data, regardless of where it is collected, stored, or processed – whether inside or outside of the EU.
  • If your company collects and stores the personal data of EU citizens, the GDPR is relevant to your organization, even if you don’t have a formal presence in the EU zone.
  • There was a transition period of two years for organizations to implement compliant processes. The deadline was May 2018.
  • The GDPR does not apply to the processing of personal data as it pertains to matters of national security or "purely personal or household activity."

Notable Changes

Stricter consent rules The GDPR requires that individuals give unambiguous, informed consent before their data may be processed. Consent cannot be assumed from inaction.
Enhanced rights for data subjects Individuals have more rights under the GDPR including rights to: have their personal data erased, have inaccurate data corrected, be removed from digital marketing, and request personal data be ported to another service provider.
Data breach notification Organizations must notify those whose data has been breached, within 72 hours of the breach.
Increased accountability measures There are a number of new governance requirements for subject organizations, including conducting privacy impact assessments and appointing a data protection officer.
Substantial fines Maximum penalties are €20 million or 4% of annual global revenue, whichever is greater.

Data Minimization vs Data Maximization

Today, most businesses and their marketing teams follow the practice of data maximization, that is, collecting as much data about consumers as possible, sometimes before they know exactly what, how, or when that data will be used. In addition they will extract as much value out of this data as they can, including at times, reusing it for various purposes or even selling it to another party. One of the biggest tenets of the GDPR is the principle of data minimization, that is, that firms collect only the smallest amount of personal data for the shortest period of time possible, and delete it as quickly as possible after its specific purpose is completed.

Effective May 25, 2018, the European Parliament entered into force the General Data Protection Regulation or GDPR. The Regulation has had significant impact on organizations in all industry sectors, bringing with it both challenges for compliance as well as opportunities to achieve competitive advantage.

An important first step will be for organizations to have clarity on how they manage personal information, including:

  • What personal data is processed, and are there lawful purposes to do so
  • Where it is stored across the organization
  • Who has access to it
  • What consent has been provided and where it is documented
  • Where it is transferred from and to (including to third parties and cross-border)
  • How it is secured throughout its lifecycle
  • If there are processes in place to dispose of personal data, as per policy

To Support GDPR Requirements

  • Automate privacy processes
  • Ensure an appropriate level of security, including confidentiality
  • Protect personal information from unauthorized access
  • Secure data in transit and at rest
  • Provide right to erasure, rectification, access and data portability
  • Adhere to data minimization
  • Enforce records management
  • Ensure data protection by design and default

How OpenText Can Help

  • OpenText Privacy Center is an enterprise privacy management application built on OpenText™ AppWorks, that centralizes and automates multiple privacy processes within an organization.
  • OpenText Content Suite delivers transparent, automated, enterprise-wide governance to produce industry-leading security, privacy and compliance.
  • OpenText Records Management supports data minimization by streamlining and automating retention and disposition processes.
  • OpenText File Intelligence provides data discovery capabilities so organizations can identify and act on content that contains personal data, wherever it resides.
  • GDPR Discovery and Analysis Service engages OpenText Professional Services consultants who use the indexing and categorization features of OpenText File Intelligence, tuned to the GDPR definitions of personal information, to identify personal information residing in non-compliant data stores.
  • OpenText Cloud Services offer comprehensive security and compliance capabilities and are qualified data processors. We are constantly interfacing with customers, regulatory bodies, and standards boards to advance compliance and serve customers’ needs.
  • OpenText Product Security Assurance Program (PSAP) ensures that all our products, solutions, and services are designed, developed, and maintained with security in mind i.e. security by design.

GDPR - From data protection to competitive advantage

GDPR - From data protection to competitive advantage

Watch the Video

What Does GDPR Mean for B2B Organizations?

Read the White Paper

OpenText Product Security Assurance Program

 Download the Overview