The General Data Protection Regulation (GDPR) which has to come into force next 25th of May 2018 in Europe will have important consequences on the digital eco-system of this area. Many actors will be impacted by this regulation, some will have to re-think their business model and every companies that collect data will have to engage reconditioning projects to be GDPR complient (if it’s not already the case).
In this article, I will present you the goals that are at stakes and the perimeter of this regulation, the the different principles of personal data protection and finaly two types of projects to lead to be GDPR complient.
1. Goals and perimeter of the GDPR :
The implementation of GDPR in Europe will responds to 3 main goals :
– Attune European reglementations : all the different countries in Europe have not the same level of data protection regulation and practices. This policy aims to attune all European countries and strengthen the power of the different supervisory authorities in Europe such as the CNIL in France.
– Make the companies aware of their responsabilities with the way the deal with the personal data of their clients.
– Strenghten the right to citizens to dispose of their personal data and limit its collect and usage.
The perimeter of this reglementation expands to the data of all people based in the European Union (Art 3.2) and penalties can go up to 20 millions euros or, in case it is a company, 4% of its global consolidated turnover.
2. Four main principles of personal data protection
The GDPR strenghten the basis of the processing of personal data principles.
– Purpose : The processing of personal data have to be lawful and legitimate and the data collected have to be insightful for the processing. This is a principle of minimazation : only personal datas that are necessary to the realization of the prupose are allowed to be collected.
– Transparency : citizens have a right to benefit to prior information about the collect of their data and about the rights they have about it (access to their data, right of modification, opposition to prospecting or profiling)
– Security : the person in charge of data processing have to respond to a duty of security and privacy of the processing.
– Retention : data must be kept for a suitable and legal duration, this duration must not exceed the duration necessary to process the data.
3. Two types of projects to lead to be GDPR complient :
To be GDPR complient, companies have to lead many projects that can be divided in two categories :
– Projects related to the evolution of the customer relationship (mainly front-office and UX projects)
– Internal transformation projects (mainly back-office, processes and IT projects)
The GDPR will have an impact on the customer relationship and 3 points will have to evolve :
– Information : data controllers will need to communicate on collected data and processing in a concise, transparent, understandable and easily accessible way.
– Consents : companies will have to collect and track the customers’ consents. Their consents on the personal data processing have to be accepted in a clear positive way.
– New rights : GDPR will shape new rights for the consumer. Right to data portability (the consumers will be able to collect the data they have given) – Right to personal data processing limitation – Right to digital forgetfulness (on demand).
Those 3 points will have a huge impact on the front-office of the website and will impact a lot the user experience.
Last but not least, the GDPR will have a huge impact on internal organization of companies on a process or IT level :
– Data storage, privacy and security : A processing register will have to be created and be specific on each consents, type of data collected and their storage duration.
– Processing and transfer of data
– Organization, notification and change management : Define new roles like the DPO (Data protection officer) and new processes in case of an incident like a data leak
To conclude, huge and complex projects have to be lead by companies to be GDPR complient and ready for May 2018. This regulation will have a significant impact on the back and the front office of websites and it will redefine the posture of consumers with their personal data and how they can limit access to it and their relationships with companies.
Sources : Converteo – White paper on GDPR