The European Union (EU) Data Protection Directive was passed in 1995. However, it didn’t foresee all the changes that would happen because of the evolution of digital technology. As a result, an update was needed. And now it will be shortly. The new General Data Protection Regulation (GDPR) takes effect on May 25, 2018.
Though certainly not a fix for every aspect of the GDPR, data and application integration can play an important role in how organizations respond to GDPR requirements. Yet, many organizations are not ready with the necessary data integration capabilities.
What Is GDPR and Why Does It Matter?
The GDPR establishes a single set of data protection rules to protect personal data of an EU resident. GDPR also introduces significant fines for non-compliance, including revenue-based fines of up to four percent of total annual worldwide revenues. Moreover, GDPR makes it considerably easier for individuals to bring private claims against an organization that is a data controller or processor.
The information commissioner for the United Kingdom Elizabeth Denham said in her speech at the Data Protection Practitioner’s Conference 2017 that boardrooms need to start caring about GDPR compliance.
She noted, “The GDPR gives regulators greater enforcement powers. If an organization can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.” [1]
Impact of the GDPR Goes Beyond the EU
Though an EU regulation, GDPR demands the full attention of any worldwide organization that processes the personal information of EU-based individuals for the purpose of offering them goods or services, or to monitor their behavior within the EU. This would include social media, online tracking, and data analytics.
Personal information that falls into the purview of GDPR regulation includes such data as name, physical address, email address, identification number, location data, online identifier, credit card number and health information. Upon request, organizations are required to provide an EU data subject certain access and/or erasure rights.
In a GDPR Pulse Survey , PWC found that GDPR readiness is the number one data protection initiative for more than half the multinational companies based in the United States. The regulation’s privacy requirements, such as mandatory record keeping, the right to be forgotten, and data portability are especially top of mind for these companies, the survey reports.
But probably the most telling response of U.S. companies to the looming GDPR deadline comes in the form of financial commitment. More than three-quarters of the survey respondents plan to spend $1 million or more on GDPR compliance. A non-compliance fine of as much as four-percent of global revenues is a big stick. It is promoting concerted efforts from any organization doing business in Europe.
GDPR Compliance: Dealing with the Data Flow
GDPR compliance requires an organization to understand how an EU data subject’s personal data is collected, used and shared across an enterprise and with any third-party suppliers, vendors or service providers. The data flows of many multi-national organizations might look like airline flight maps. Data is flying all over the place. Having a unified data management platform that allows companies to identify personal data, ensure its quality, and integrate it into necessary systems would help businesses comply with certain GDPR requirements.
Fundamentally, GDPR compliance is about emphasizing privacy as an indispensable part of the product (or service) lifecycle — whatever that product or service may be. This is a major shift for most organizations whether in the EU or elsewhere.
Technology Options
GDPR requires businesses to “know thy database.” Unfortunately, no single technology or technique can likely fulfill all GDPR requirements. Regardless, data and application integration is critical to responding to GDPR. Businesses will want to address data silos by integrating disparate data sources and enforcing data governance rules to ensure data is trusted and deleted when there is no legitimate purpose to retain it.
Many organizations, however, are not ready with the necessary data integration capabilities. If your organization does not have strong integration capabilities, it could struggle to address the data governance management demands of GDPR. Fortunately, modern integration technology has come a long way. Within a unified integration platform as a service (iPaaS), an organization can rapidly and hyper-efficiently build out integrations through a low-code, drag-and-drop development environment.
Data quality can also be assured through native master data management capabilities. The best of today’s cloud-based integration platforms can also support API management for connecting to external data sources.
This was part one of a multi-part series that examines the potential data management and application integration implications of GDPR. In part two, we’ll learn more about what steps organizations can to take to quickly build up their integration capabilities, including the three ways Boomi can help with GDPR compliance. Stay tuned!