Guide Complete Set of Residential Architectural Drawings PDF
[REPORT PREVIEW] GDPR Beyond May 25, 2018
1. RESEARCH REPORT
GDPR Beyond
May 25, 2018
Implications for Strategists
and Marketers
FEBRUARY 6, 2018
BY SUSAN ETLINGER
PREVIEW VERSION
2. 1
Table of Contents
2 Executive Summary
3 Introduction
5 What is the GDPR?
8 Opportunities for Global Business
12 Recommendations
14 Endnotes
15 Methodology
15 About Us
16 How to Work With Us
3. 2
Executive Summary
On May 25, 2018, the European Union’s General Data Protection Regulation
(GDPR) will go into effect. It will harmonize existing data protection laws
in the European Union (EU), but, as importantly, it will fundamentally
strengthen the rights of people in the EU to control their personal data.
There is no question that the potential impact of GDPR is massive, and much
is still unknown. What is clear is that it will trigger profound changes within
organizations of all kinds that collect data from people in the EU, requiring
alterations in process, technology, delivery, and design of products and
services, communication, and organizational structure, among many other
things. But while GDPR represents a significant disruption to business
operations in the short term, it also represents a strategic opportunity in the
longer term.
This report is not a “how to” for GDPR compliance. Rather, it lays out the
strategic opportunities that come from more transparent and trustworthy
interactions between individuals and organizations: product, service, and
business model innovation; customer experience and loyalty; operations;
brand reputation; and competitive positioning.
4. 3
Introduction
One fact increasingly affects us: We live in a data-rich world. As IBM famously stated:
“Ninety percent of the data in the world was created in the past two years alone,” and
that time span is narrowing.1 While technology access remains uneven, the availability
of increasingly personal data — gathered by sensors, social media posts, images, mobile
phones, websites, closed circuit TV, videos, and transaction records, among others —
challenges established notions of privacy rights.
The discussion of the individual’s right to privacy has been particularly intense in the
EU, where data protection has been a high priority for years. The focus has been to find
a way to restore control of personal data to the individual, improve transparency, and
fundamentally change the way organizations approach data collection and use.
On April 14, 2016, the EU Parliament approved the GDPR as a single, legal standard across
the EU “to make Europe fit for the digital age.” More than 90% of Europeans say they want
the same data protection rights across the EU – and regardless of where their data is
processed.2 The new law goes into effect on May 25, 2018.
GDPR will trigger fundamental changes to all organizations, no matter their location,
that collect data from people in the EU. For this reason, it is a mistake to view it simply as
an “EU issue,” an obscure regulation or a compliance exercise handled by a team with a
checklist. The breadth and depth of changes demanded by GDPR is vast and could well
influence how global companies treat personal data for many years to come.
5. 4
There is no question that GDPR calls for changes in data collection and processing
that significantly disrupt organizations. Some question whether the breach notification
deadline of 72 hours is even possible given the complexity of corporate database
structures and information technology environments. Data access regulations are also
challenging, as extracting and exporting all personal data from apps and systems in an
accessible format is no easy task.
But as challenging as GDPR may be for the groups working on complying with the
regulation, it also represents an opportunity: to develop new data-centric and compliant
products, services, and business models and reset trust with customers, clients,
consumers, and the general public.
FIGURE 1:
MOST CONCERNING ISSUES ABOUT ONLINE USAGE ACCORDING TO INTERNET USERS IN THE UNITED STATES AS OF
MAY 2017 (SOURCE: STATISTA)
Cyber crime such as having your
money or personal information
stolen online
Cyber attacks via internet to disrupt
life in th U.S. ( e.g. online theft & of
classified info, disrupting services)
Fake news stories and propaganda on
social media
Companies collecting and sharing
your personal data online with
other organizations
Online survelliance of U.S. citizens by
U.S. government
Children accessing online content of
an inappropriate nature
Hurtful or personal things about you
being posted online
None of the above
Don’t know
59%
49%
31%
30%
26%
23%
7%
4%
11%
0% 10% 20% 30% 40% 50% 60% 70%
Share of respondents
But there are reasons beyond compliance that organizations should consider in the wake
of GDPR. In the United States (US), at least three of Internet users’ top 10 concerns relate
to the way companies and governments use their personal data (Figure 1). While cyber
crime and cyber attacks appear to be the most salient worries, 30% of U.S. Internet users
are concerned about “companies collecting and sharing your data.”
SOURCE: Statista
6. 5
What Is the GDPR?
The GDPR is comprehensive regulation that governs the way all organizations may use
the personal data of people in the EU. It is rooted in a series of historic and regulatory
events, including the Organisation for Economic Co-operation and Development (OECD)
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which
is “a set of recommendations endorsed by the EU and the U.S. that set out to protect
personal data and the fundamental human right of privacy.” 3
Overall, the regulation is intended to harmonize existing EU privacy laws across Europe
and return control of personal data to the individual — who the regulation refers to as
the “data subject.” Understandably, a key question for many is the effect on the United
Kingdom (UK) post-Brexit — an issue that is and will continue to be addressed by the EU
and the UK Information Commissioner’s Office (ICO).4
KEY CHANGES OF THE GDPR
The GDPR contains ninety-nine articles that detail the specific rights of individuals and
the responsibilities of the organizations that collect and/or process their data.5 The EU
also has laid out the key changes to previous European privacy legislation that focus on
the following areas:
• Territorial Scope,
• Penalties,
• Consent, and
• Rights of the Data Subject.
The following is a digest of the key changes in the GDPR. It is not intended to replace a
thorough reading of the text. To review the complete text, visit the the EU Protection of
Personal Data site. Compliance checklists for data controllers and data processors are
available on the ICO website.
TERRITORIAL SCOPE
GDPR applies to any organization that processes the personal data of someone in the
EU or UK, regardless of where the company is located. This means that any company
— whether brick-and-mortar, online, or both — with customers who live in the EU must
comply with the regulation or face stiff financial penalties.6
PENALTIES
Companies in breach of GDPR “can be fined up to 4% of annual global turnover (generally
speaking, gross revenue) or €20 million (whichever is greater)”.7
7. 6
CONSENT
The GDPR provisions for consent focus on a number of issues related to personal data,
including:
1. How companies request it;
2. How and with what language and context it is granted, and
3. The ease of withdrawing consent — the right to be forgotten.
In all cases, the language used must be clear and plain (not dense and legalistic), the
purpose for requesting the data must be clear, and the consent for using the data must
be distinct from other topics.
RIGHTS OF THE DATA SUBJECT
GDPR primarily concerns itself with three key principles: how organizations request
and manage consent, how they manage the use of and secure the data, and the
organizational oversight needed to protect the “data subject” (Figure 2). “The US Guide
to Getting Consent”, published by the International Association of Privacy Professionals,
is an excellent resource to better understand the nuances and user experience issues
related to notice and consent.8
PRINCIPLES
GOVERNING CONSENT
• Clear, Specific Purpose
• Plain Language
• Easy to Withdraw
Consent
PRINCIPLES GOVERNING DATA USE
• Right to Access Data
• Right to Explanation
• Right to Transfer Data (Data Portability)
• Right to Object to Data Profiling
• Right to Be Forgotten
• Breach Notification
ORGANIZATIONAL
RESPONSIBILITY
• Privacy by Design
• Data Protection Officers
PERSON
(aka The “Data Subject”)
FIGURE 2:
RIGHTS OF THE
DATA SUBJECT
8. 7
People in the EU are empowered by the following rights:
1. Breach Notification. Governs the processes and timing for organizations to notify
relevant parties about a data breach.
2. Right to Access. Expands the rights of individuals to access their data, understand
where and for what purpose it is being processed, and receive a digital copy if they
request it.
3. Right to Explanation. Automated decision-making is another important aspect of GDPR.
Articles 13-15 provide rights to “meaningful information about the logic involved” in
automated decisions. As argued by Andrew D. Selbst and Julia Powles, “This is a right to
explanation, whether one uses the phrase or not.” 9
4. Right to Be Forgotten. Entitles people to have their personal data erased, cease further
dissemination of it, and potentially have third parties halt processing of the data as well
5. Right to Object (to Data Profiling). Grants people the right to object to having their
personal data used to evaluate or profile them with regard to “aspects concerning that
natural person’s performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or movements.” 10
6. Data Portability. Enables people to receive the personal data concerning them that they
have previously provided in a “commonly used and machine readable format” and have
the right to “transmit that data to another organization.”
7. Privacy by Design (and by Default). Requires organizations’ data controllers to follow
privacy-by-design principles, including using the minimum amount of data possible
and limiting access to personal data. 11
8. Data-Protection Officers. Requires organizations to appoint a data-protection officer,
and lays out the requirements and responsibilities for that role.
These rights have implications that extend deep into a business: security, compliance,
legal, marketing, operations, product development, finance, and customer service, to
name a few. At the same time, we should expect to see a range of responses to GDPR
across the globe. According to a a 2017 PwC pulse survey of C-suite executives from
large American multinationals, “54% reported that GDPR readiness is the highest priority
on their data-privacy and security agenda”, and “77% plan to spend $1 million or more
on GDPR.” 12
9. This preview version of
“ GDPR Beyond May 25, 2018 ”
contains only the first seven pages of the report.
To download the entire report, free of charge,
please visit the link below:
http://bit.ly/altimeter-GDPR-strategy