The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.
For those still getting to grips with what it means, Sandhya Ramdhany Legal Director for Oracle South Africa and the SDC region, answers some frequently asked questions.What is GDPR?

The EU General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. It applies to all organisations inside the EU and any outside who handle and process data of EU residents and citizens.

It is intended to strengthen data protection and give data subjects greater control over how their personal information is used, stored and shared by organisations who have access to it, from employers to companies whose products and services they buy or use.

GDPR also requires organisations to have in place technical and organisational security controls designed to prevent data loss, information leaks, or other unauthorised use of data.

Why is GDPR being introduced?

The EU has had data protection laws in place for over 20 years. However, in that time, the level of personal information in circulation has grown dramatically, and so have the different channels through which personal information is being collected, shared and handled.

As the volume and potential value of data has increased, so has the risk of it falling into the wrong hands, or being used in ways the user hasn’t consented to.

GDPR is intended to bring fresh rigour to the way organisations protect the data of EU citizens and residents, while giving citizens and residents greater control over how companies use their data.

What should organisations do to comply with GDPR?

GDPR does not come with a checklist of actions businesses must take, or specific measures or technologies they must have in place. It takes a ‘what’ not ‘how’ approach, setting out standards of data handling, security and use that organisations must be able to demonstrate compliance with. Given the operational and legal complexities involved, organisations may want to consult with their legal advisor and/or risk managers to develop and implement a compliance plan.

For example, while GDPR strictly speaking does not mandate any specific security controls, it does encourage business to consider practices such as data encryption, and more generally requires businesses to have in place appropriate controls regarding who can access the data and be able to provide assurances that data is adequately protected. It also states businesses must be able to comply with requests from individuals to remove or amend data. But it is up to organisations how they meet these requirements and determine the most appropriate level of security required for their data operations.

What are the penalties for not being compliant with GDPR?

If organisations are found to be in breach of GDPR, fines of up to 4% of global annual revenue or €20 million (whichever figure is greater) could potentially be imposed. Further, given how critical personal data is to a great many businesses the reputational damage could be even more significant, if the public believes an organisation is unfit to control or process personal information.

Who needs to prepare for GDPR?

Any organisation based inside or outside the EU that uses personal data from EU citizens and residents, whether as the controller of that data, such as a bank or retailer with customer data, or a third party company, processing data on the instructions of the data controller, such as a technology company hosting customer data in a datacentre, depending on their respective roles and control over the data they handle.

What personal information is covered by GDPR?

GDPR is designed to give people greater control over personal information which may include direct or ‘real world’ identifiers such as name and address, or employment details, but may also include indirect or less obvious geolocation data or IP address data which could make a person identifiable.

Is GDPR bad for businesses?

Complying with any new regulation may bring additional work and expense but GDPR also gives organisations an opportunity to improve the way they handle data and bring their processes up to speed for new digital ways of working. We are living in a data-driven economy. Organisations need to give consumers the confidence to share data and engage with more online services. Adhering to the requirements of GDPR can help in this regard.

Who should be in charge of GDPR?

GDPR compliance must be a team effort. It is not something that can be achieved in, or by, one part of the organisation. Ultimately, its importance is such that CEOs should be pushing their teams and appointed owners across the business to ensure compliance. Almost every part of a business uses and holds data and it only takes one part of the business to be out of alignment for compliance efforts to fail.

How can Oracle help with GDPR compliance?

Oracle has always been a data company and takes very seriously our role in helping organisations use their data in more effective, more secure ways. We have more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Oracle Cloud solutions are used by leading businesses in 175 countries and we already work with customers in many heavily regulated industries. We can help customers better manage, secure and share their data with confidence.