GDPR (General Data Protection Regulation) is the fundamental modernization of European data protection legislation, taking into consideration the digital data evolution over the last decades. It aims to harmonize data protection legislation across the European Economic Area. Under GDPR, individuals who are in the EU can expect greater data protection, privacy, and control.
Given the widespread impact of GDPR, businesses around the world need to pay close attention. Here are two big reasons why.
Because it probably applies to you
GDPR is not only binding for EU companies. All companies worldwide that collect, process, or analyze data tied to individuals who are in the EU have to comply with the new regulation – or face significant financial penalties.
GDPR is applicable to personal data, including special categories of personal data called “sensitive personal data.” There are varying interpretations, but the GDPR clearly defines that any information relating to an identified or identifiable natural person (data subject) is considered personal data. Special categories of personal data are called out in Article 9 (1) of GDPR as data revealing: racial or ethnic origin; political opinions, religious or philosophical beliefs, or trade union membership; genetics, biometrics, or health; or a person’s sex life or sexual orientation.
Because it protects all individuals
GDPR protects all individuals, which could include your employees, your customers, your suppliers, and any other business partners you are working with. More specifically, individuals will have the right to access their personal data, correct errors, object to or limit processing, erase, and request an export of their data from companies. Companies, on the other hand, will have increased responsibilities with regard to data protection and privacy, including the following.
- Safeguards and control: Businesses will be required to protect personal data using appropriate security measures, integrate the necessary safeguards into the processing, maintain records of processing activities, and notify authorities in case of a data breach.
- Data subject rights processes: Organizations will need to provide notice and obtain consent for data collection and processing, disclose the purpose of personal data usage, and define data retention and deletion policies.
- Process and people: All companies need to implement processes that ensure compliance with the principles relating to processing of personal data. Employees will need to be trained regularly. Companies will also have to audit and update data protection and privacy policies – and in some cases, appoint a data protection officer as applicable.
At SAP and SAP Ariba, we are committed to helping our customers meet these data protection and privacy challenges and protect the confidentiality, integrity, and availability of data in our highly regulated world. We are preparing for GDPR by actively enhancing our products to help you get ready to meet these new requirements and others to come.
Interested in learning more on how SAP and SAP Ariba can help you on your journey to GDPR compliance? Please visit our GDPR resource center.