Build, protect and deploy apps across any platform and mobile device
Leverage a complete UI toolbox for web, mobile and desktop development
Automate UI, load and performance testing for web, desktop and mobile
Rapidly develop, manage and deploy business apps, delivered as SaaS in the cloud
Build mobile apps for iOS, Android and Windows Phone
Optimize data integration with high-performance connectivity
Connect to any cloud or on-premise data source using a standard interface
Build engaging multi-channel web and digital experiences with intuitive web content management
Automate decision processes with a no-code business rules engine
Sunil Belgaonkar takes us through the most important aspects of the new GDPR and how it affects you.
Happy New Year to you!
You’ve probably heard of the European Union’s upcoming General Data Protection Regulation. This regulation aims to enhance privacy and strengthen data protection rights for EU citizens by defining, among other things, “Principles Relating to Data Quality,” “integrity and confidentiality,” a “right to portability” and a “right to be forgotten.”
Even if you already have an existing privacy solution or do not have offices in the EU, you can’t afford to overlook this regulation. Because it has been designed to cover all business applications that address EU citizens, even if those applications are developed and/or operated by companies outside of Europe, you’re almost certainly bound by it if your business touches the European market. Ignoring this fact could lead to large fines.
Once the regulation is approved, the EU has stated that there will be a two year transition period used to advise citizens of their rights and companies of their obligations. The net result will be companies prioritizing ‘GDPR compliance’ on their list of requirements when procuring (or renewing) IT products and services.
I have gathered this summary from different sources, and I highly recommend that you read the entire text of the regulation and talk to your corporate legal team to understand the actual implications of this regulation for your business.
The European Commission plans to unify data protection within the European Union (EU) with a single law, the General Data Protection Regulation (GDPR or the regulation). The regulation aims to enhance privacy and strengthen data protection rights for EU citizens. The previous EU Data Protection Directive 95/46/EC did not consider important aspects such as globalization, and was developed before recent technological developments, including social networks and cloud computing. The Commission determined that new guidelines for data protection and privacy were required.
A couple of weeks ago, EU Parliament’s Civil Liberties Committee announced that they had reached agreement on the text for the EU’s new General Data Protection Regulation, which will replace the aging 1995 Data Protection Directive (read the full text here) as the EU’s data protection law.
As a regulation, as opposed to a twenty-year-old mere directive, it directly imposes a uniform data security law on all EU members. Once it receives the approval of the EU Parliament, it will become the law in every member state, thereby harmonizing EU data protection and privacy law from A(msterdam) to Z(agreb).
Article 3 of the GDPR states that any company that markets goods or services to EU residents may be viewed as subject to the GDPR, regardless of whether the company is located or uses equipment in the EU or not. This provision essentially makes the GDPR a worldwide law, as many entities—think app developers to e-commerce companies and multinational corporations—want or need access to the European market, even if they do not have any European offices.
Article 79 states that a company that violates certain provisions of the GDPR—such as the basic processing principles or the rules relating to cross-border data transfers—may be subject to fines amounting to 20 million Euros or 4% of the company’s total worldwide annual turnover. Remember, GDPR is about protecting the privacy of EU citizens’ data—irrespective of where the ‘violator’ is based.
Article 32 states that the controller does not have to provide notice to data subjects if the controller had implemented “appropriate technical and organizational protection measures” and applied those measures to the affected data.
Clearly, implementing the suggested protocols to prevent against a data breach is far more cost effective than having to inform every single data subject (EU citizen) of the breach and paying fines.
Under Article 6 of “Principles Relating to Data Quality,” member states are required to ensure that personal data be processed fairly and lawfully; collected for specified and legitimate purposes; adequate, relevant, and not excessive given the purposes for which the data was collected and processed; accurate and kept up to date, where necessary.
Article 5 adds an additional “integrity and confidentiality” principle, which requires that data be “processed in a way that ensures appropriate security of the personal data.”
Article 18 of the GDPR grants data subjects a “right to portability” with regard to personal data of theirs that is automatically processed. This provision allows data subjects to more easily transfer their personal data from one application to another. A data subject also has the right to receive any personal data he or she provided “in a structured and commonly used and machine-readable format.”
Article 17 sets out the “right to erasure,” also known as the “right to be forgotten,” which gives a data subject the right to order an application to erase any of the data subject’s personal data in certain situations.
If your application collects personal data or processes any personal data, you may want to take a look at the details of the regulation and plan on being compliant ASAP.
Article 35 requires companies whose core activities involve large-scale processing of personal data—defined as information that reveals a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sex life, or sexual orientation—to designate a Data Protection Officer.
Under Article 37, Data Protection Officers must provide advice about, and monitor compliance with, the Regulation, as well as serve as the contact person for communications with the relevant supervisory authority. In addition, there will be regular periodic audits by supervisory authorities.
Article 31 of the Regulation sets out a single data breach notification requirement designed to be applicable across the EU. The rule requires controllers to notify the appropriate supervisory authority of the personal data breach within 72 hours of learning about the breach.
As stated above, once approved, there will be a two year transition period. Expect it to take effect sometime in 2018.
You’ll need to review your applications carefully to make sure they are compliant. I’m happy to report that Progress® OpenEdge® is already equipped to meet the needs of the “integrity and confidentiality” clause detailed in Article 5 in a number of key ways, saving you time and worry:
Don’t forget that early compliance with GDPR can be a marketable factor for your business application. Taken as an opportunity, the GDPR can be your chance to differentiate yourself from competitors.
I hope this article provides you with enough content to get started, and drives home the point that the GDPR is coming soon—and you should start planning for compliance ASAP.
Sunil Belgaonkar brings more than 22 years of software industry experience to his position at Progress, and is currently responsible for the strategy and direction of OpenEdge business.
Copyright © 2017, Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.
Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks or appropriate markings.