With mere hours to go before the General Data Protection Regulation (GDPR) comes into effect, it seems appropriate to take a few minutes to reflect on the approaches and issues we have seen amongst those we have been talking to.
What is probably most concerning is the number of organisations that do not understand the need for them to comply with the GDPR.
Although designed to protect the rights and privacy of those residents within the EU, it applies to ANY organisation that collects or processes personal data, regardless of where they are based, headquartered or registered.
In a globalised business environment, this point is important.
We are actively communicating this to Verint customers in the Americas and throughout the Asia Pacific region—offering information and advice on how their Verint solutions can help them comply with the regulations.
Click here to find out more.
On the other hand, while organisations based in the EU are clear about their responsibility to comply with the new legislation, there still appears to be some confusion around the requirement to gather the explicit consent of data subjects.
Many businesses find themselves part of a frantic round of communications with customers, requesting that they provide consent to allow continued storage and processing of their data.
And yet, in my estimation (as an EU resident on the receiving end of these efforts), at least 30% of these requests may not be necessary, because I have an existing contractual relationship with that business—such as supplying my utilities or other goods I have ordered.
As we pointed out in an earlier blog post on this subject, the GDPR’s requirement for recorded consent only applies if there is no other legitimate or legally required reason for holding and processing personal data, such as the fulfillment of contractual obligations, other applicable laws and regulations, or the delivery of public services.
What is also clear is that, understandably, most organisations’ current focus is on putting in place processes and tools that will allow them to comply with the new regulations at a basic level—or at least demonstrate progress in that direction.
Of course, it is a broad spectrum, with some having made significantly more progress than others. However, the big, largely unanswered question is: “How do we move from manual compliance to sustainable compliance?”
GDPR will be around for many years to come. It will still apply in the UK, even after “Brexit.”
And, analysts are already predicting that it will become the model for a tightening of U.S. laws in this arena.
Going forward we will need to harness policies and processes, organisational structures and IT tools to achieve an effective, efficient and compliant “state of grace.”
These efforts should help make GDPR best practices a normal part of every business day.
We will discuss this with Forrester’s GDPR expert, Enza Iannopollo, during an upcoming webinar called “It’s Here – Now What? Building a Foundation for Sustained GDPR Compliance.”
Register today and join us on May 29.