GDPR – European General Data Protection Regulation comes into effect on May 25, 2018.
For those of you who don’t have the background – GDPR is the fundamental modernization of European Data Protection legislations, taking into considerations the digital data evolution over the last decades. It aims to harmonize data protection legislation across the European Economic Area (EEA). For US audiences the question that often comes to mind is why is there so much of concern about data protection and privacy? Keep in mind that data protection is a fundamental right in the European Union (Article 8(1) of the EU Charter of Fundamental Rights), similar to freedom of speech in the US.
Now that we have the background on GDPR, let’s talk about what data is it applicable to. GDPR is applicable to Personal Data and special categories of Personal Data called “Sensitive Personal Data”. There are varying interpretations out there, but at a very high level – any information relating to an individual (data subject) is Personal Data. Special categories of Personal Data (or Sensitive Personal Data as we call them in SAP SuccessFactors) are called out in Article 9(1) of GDPR as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, etc.
Let’s also talk about the roles and responsibilities of different parties. GDPR articles talk about three parties – Data Subjects, Controllers and Processors.
- Data Subject is the end user, whose data is being processed
- Controller is the organization that owns the data subjects’ data
- Processor is the organization (cloud provider) who is processing the data on behalf of the controller.
The onus of proving GDPR compliance lies on both Controllers and Processors (Article – 28(10) and Articles 5(2), etc.).
Join me at session 51085 SAP SuccessFactors General Data Protection Regulation (GDPR) Readiness at SuccessConnect Las Vegas to learn more. See you soon!