Why was this created in the EU zone?
GDPR is most important change in data privacy regulation in 20 years. GDPR will apply to all members of the EU and EEA from May 25, 2018. It will replace todays legislation regarding privacy in member countries currently subject to the EU Directive 95/46. You find many of the statutes in the GDPR in the current legislation, but the GDPR is more detailed and precise in certain areas, and takes into account the challenges in the rapid evolving digital world, giving rise to privacy risks for data subjects. This law requires the companies to obtain consent of the user before collecting data. This is an important step taken by EU Zone in order to make user’s data safe, private & controlled by user. This law aims to give back to data subjects, control of their personal data, whilst imposing strict rules on those hosting and processing this data, anywhere in the world.
What are the consequences for not being compliant?
There have been many talks about surrounding GDPR. This is arguably the most significant change in global privacy law in twenty-two years and businesses must shore up their cybersecurity processes and procedures to avoid facing financial penalties. The UK Government and Information Commissioners Office (ICO) has made cleared that there will no new legislation in order to cover the growing threat of cybercrime as this is business responsibility to address. The penalties for non-compliance are eye watering. Infringement on certain articles of GDPR carry fines of up to €20M or up to 4% of total global revenue of the preceding year, whichever is greater. Other fines carry penalties up to €10M or up to 2% of total global revenue of the preceding year, whichever is greater. These punishments show it is important that compliance is met and GDPR is not ignored.
For organisations it is not just about fines or punishments. The risk of not meeting GDPR requirement can be cost prohibitive in other ways. According to recent research cyber-attacks can cost businesses anywhere from $14.00 to $2.35million per incident and data breaches and attacks are growing all the time. Therefore, the cost of an attack on an organisation can have significant impact. Lastly there is the cost of brand and reputational damage post attack. Interestingly according to recent research by information management company Veritas, only 31% of companies surveyed are worried about reputation damage due to poor data policies, but it can destroy a business and the brand post attack.
How are companies gearing up for it? Please talk about it from a legal and business perspective, does it apply only to B2C startups or B2B startups?
Without a doubt, the protection of customer and partner data is essential for the survival and success of every organisation. However, all too often security, especially encryption, has been regarded as far too complex and expensive for most small and medium-sized enterprises to consider. But with GDPR comes a need for companies of whatever size to recognise the value of their data and be aware of the ever-growing legal framework they need to meet, as well as the resulting penalties for non-compliance. Most of the organizations these days are getting compliant to GDPR in order to streamline their business processes. Every organization has personal data and it becomes critical to protect that data in all the possible ways.
Organizations are gearing up by identifying all sorts of data they have, where it is, who has access to this data, can the organization control the data? Are all processors or data storage systems being in place, with what security level? How the data is getting transferred within the organization as well as outside the organization? Most of the organizations are trying to follow these questions to avoid any GDPR infringement. Organizations are implementing ISO27001 certifications, keeping all data on cloud, monitoring of the data is going on, processes & documentations are kept in place.
Basically the 5 steps formula are being applied in the organization as:
Access — Assessments and data access across governance, people, processes, data & security
Design — The implementation plan for each business activity is designed to be GDPR compliant
Transform — Implementing procedures, processes & tools to ensure proper GDPR complaint
Operate — Execution & monitoring of relevant business activities & processes and manage consent, data subjects & access rights
Conform — Implementing monitoring, assessment, auditing & reporting to adherence to GDPR
Any business involved in sectors like data-driven marketing, open banking, blockchain, data lakes, consumer experience management, retail, health, finance, agriculture, supply chain, pharma etc. will be under the radar of GDPR. In terms of legal perspective, the organization have either hired corporate & data lawyers or consulting with law firms to ensure all practices are followed in the organization effectively so no harm to business processes & operations at the current stage as well as in future.
Any industry using user’s data need to focus on the compliant of GDPR to protect user’s data and keep it safe in any sort of cyber attack or breaches. This law is applicable to both B2C & B2B start-ups because both use consumer’s data in all activities & processes. B2C start-ups are directly using the consumer’s data but using many accounting, technology, Cloud, networking services form B2B clients and hence this is also important for B2B start-ups to have proper data & security compliances. For example, B2B start-ups keep their technology on the cloud to provide services and hence access consumer start-ups data regularly to provide these services and hence most critical for them to complaint to GDPR. These days data are the new electricity or fuel for the start-ups to build business models to generate revenue either it is on the cloud, SaaS or on-premises. There is increase in so many data focused start-ups in recent times and hence this becomes more critical for such start-ups both in B2B & B2C to stay complaint to GDPR to avoid any issues in future.
What are the core themes of GDPR?
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below:
Increased territorial scope: Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
Penalties: Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent: The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Data Subject Rights: There are strict data subject rights such as data breach notification, right to access, right to be forgotten, data portability, privacy by design and data protection officer notification for all data related activities.
Anything else that they would like to add about GDPR and its importance?
GDPR is itself a process that enable the power in hand of the users for their data protection. This is complaint from 25 May 2018 only but not applicable to any ways to the companies collecting, accessing data for decades and utilizing for building machine learning or data based learning systems. GDPR will impact the new businesses in accessing the data needed for critical task processes to get right outcome. Though, user’s data is owned by User but this may have significant impact on the current businesses or future businesses. Other side it is very- very critical and important step as giving power back to the user to control their data. There will be no data damage, data breach and violation of consent privacies. This law will streamline all future data related processes and the result will be as per the user’s consent not driven by businesses’ consent. Businesses will seriously take the data regulations and implement regardless of their size & operations. Businesses will also have the power further based on the user’s consent to use data for more meaningful outcomes without use of dark websites for data access. The businesses will deliver what user want instead of forcing the user even without their interest.
How has Artivatic prepared for it
Artivatic is AI platform and to run AI/ML algorithms ‘data’ is the fuel to get the desired algorithms to perform the task or even apply the learning for future. This all can not be done without data, and hence Artivatic being B2B startup has prepared itself to get complaint to GDPR.
Some of the actions that Artivatic has done: Data Access System & Processes — Entire data is placed in centralized data server with multiple backup options including cloud. Client’s data that Artivatic access to train its AI/ML algorithms accessed by only authorized person. Processes are designed as complaint to GDPR to ensure the data access is secured & monitored.
Data Sharing Agreement & Daily logs — Each employee who needs data for training /testing of algorithms or run any applications, must to sign proper data sharing agreement keeping all laws, regulations & articles in place so that no one can breach or miss-use the data. Everyone keeps logs of their all activities which are recorded in central system.
No data access for Home or allow of media device storage — Artivatic does not permit anyone in the office to bring data to home for work and also does not allow any media storage device like CD, Pendrive or hard drive to transfer or carry data in any forms.
Local Servers — Artivatic has installed local servers in office so data remains on local servers and is accessible with intranet system to people using the required data.
ISO27001 & Others — Data certifications are getting in place in Artivatic so all processes & frameworks are followed & monitored and audited time to time ensure the data safety & security.
On-Premise Implementation — Artivatic installs & integrates its software, products & technologies to the client’s data server on-premises and so there is no data communication between their servers outside of their premises. This ensures, the data is safe on the client side and no illegal data transfer. The on-boarding system has been designed in such way that user has 100% control for their data to authorize or provide consent for business use. Other than these many measures are being done at all processes, activities & design level to ensure have complaint to GDPR.
How will it impact SaaS businesses that are not prepared?
Data security, privacy & safety is already a concern among the users, businesses and governance because of current data breaches, data violation like Cambridge Analytica and even pushing users with unrelated ads, information by accessing their data without their permission. SaaS companies collect & access data in many ways at multiple points of user/business journey and this becomes critical for them to get complaint to GDPR to ensure data safety & security. The SaaS businesses who are not prepared shall have pretty huge impact on their businesses in terms of selling, revenue and even new user’s entry. No new businesses or user will access their services to avoid any data related issues, also existing businesses might also withdraw their contracts due to these compliance & regulations not in place. If any data breach or issue occurs after the GDPR guideline while accessing any EU user information it will have huge penalty as well as it will be blocked to get any such accesses. Mostly, as of now only businesses accessing any EU zone data will be impacted but user is getting aware and will ask all reasons for usages of data with the businesses across the world. In future, this will impact entire business ecosystem to get complaint to GDPR or its kind of laws that will protect the user’s data and provide all controls to user. SaaS businesses need to get ready for these compliance’s not only in EU zone but also across the globe to avoid any such data breach or privacy issues. Therefore, it is suggested to get prepared for these GDPR regulations as it will not only protect user data but also keep the brand reputation better for future.