GDPR: “Data protection by design and by default” in practice
December 5, 2017
By Jimma Elliott-Stevens, Infor Global Privacy Officer and Associate General Counsel
Data privacy becomes a high-stakes proposition in May 2018 when the General Data Protection Regulation (GDPR) takes effect in the European Union. The new measure ushers in the most significant changes in EU digital privacy regulation since the existing Data Protection Directive became effective in 1995. GDPR includes fines for noncompliance of up to 4% of global gross revenue, or €20 million, whichever is greater. Naturally, numbers of that size attract executives’ attention. EU representatives say they don’t intend to levy the draconian penalties that the measure allows, but many executives find little comfort in that claim.
Although GDPR primarily targets companies with EU-based operations, it affects all businesses that provide goods or services to any EU resident. Not only does this new regulation impose new obligations on organizations of all sizes, it also sets stricter standards for obtaining individuals’ consent to collect or process personal data. Moreover, it creates distinct responsibilities for companies that control data, as well as for those that process data.
Making data protection a top design priority
At Infor, we’re fortunate to be deep in the process of migrating our business software portfolio to the cloud; the perfect time to set new technology design priorities to address emerging issues like GDPR. We’ve made data protection and security a top concern in our technology roadmap. As a result, many of our cloud-based solutions meet the most essential GDPR requirements, and as our products evolve, we have concrete plans to bring all of our major cloud-based products into compliance with GDPR requirements such as access, rectification, data return, and the right to be forgotten. We are also enhancing our technical and organizational measures to satisfy GDPR compliance standards.
GDPR compliance, however, involves far more than running compliant technology. The regulation imposes specific requirements on an organization’s business processes, particularly on the ability to respond promptly and accurately to individuals’ preferences over the handling of their personal data. Responsiveness and flexibility are central goals of our software design. That level of agility serves our customers in important ways that began long before GDPR compliance and will extend far beyond the need to satisfy regulations. In a marketplace and technological landscape that advances with unprecedented speed, businesses need software that helps them stay competitive—particularly amid the ever-evolving, global data protection laws. That’s exactly what we aim to help our customers accomplish.
Flexibility is even more important with respect to GDPR compliance, because the regulation’s requirements are still in flux and subject to varying interpretations due to the complexity of the issues it aims to address. It’s conceivable that uncertainty about the interpretation of GDPR requirements will continue for some time until the right balance between privacy, convenience, and cost is achieved. We’re ready to help our customers navigate this period of regulatory uncertainty.
Walking a mile in our customers’ shoes
As a US-based company with longstanding EU-based operations, we have extra incentive for mastering GDPR compliance because we’re subject to the regulation ourselves. Like many of our customers, we fall into two distinct categories of the regulation—data processor and data controller—each with distinct responsibilities. That fact adds new challenges to customer relationship management, both B2B and B2C, especially if your operations involve third-party processors and partners. Therefore, sharing a position that is similar to most of our customers makes us closely attuned to our customers’ needs.
The exact text of the GDPR uses the phrase “data protection by design and by default” to describe the fundamental importance and value of handling personal data properly. Infor’s technology roadmaps include making data protection an emphasis of our products—in the cloud and on-premises. We’re striving to enhance the data protection capabilities of our products to satisfy GDPR and the demands of our customers.
Putting top priority on data security
I can tell you firsthand that Infor doesn’t just give lip service to data security. As Infor’s global privacy officer and associate general counsel for all matters concerning data protection, I’ve been tasked by our CEO, Charles Phillips, with ensuring that Infor’s products and processes meet or exceed stringent global regulatory requirements, including GDPR. Our executive team has taken a top-down management approach to privacy and data security, and so I’ve seen directly the importance and urgency our designers and developers place on delivering the capabilities needed to comply with GDPR and other global regulations so our customers, and theirs, achieve the highest possible level of data protection available.