What is the General Data Protection Regulation (GDPR)?

The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Because the EU required each member state to implement a Directive into national law, Europe ended up with a patchwork of different privacy laws.

Additionally, increasing Security breaches, rapid technical developments, and globalization over the last 20 years have brought new challenges for the protection of Personal data. To address this situation, the EU developed the General Data Protection Regulation (GDPR), which is directly applicable as law across all member states. The key difference is the GDPR is not a directive. It’s a law with penalties for non-compliance.

Why does the GDPR matter to our customers and to Oracle?

The GDPR goes into effect May 25, 2018.  It will apply to any company that collects and handles personal data from EU-based individuals. Personal data, also known as personal information or personally identifiable information (PII), is defined as;

Any information relating to an individual that can directly or indirectly be identified by reference to identifiers such as names, identification numbers, location data, online identifiers, or, to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

These new and stronger individual rights, accountability requirements and increased scrutiny from regulators means companies that collect and use offline and online personal data in the EU will need to update and manage their data handling practices and use cases more carefully than ever.

What’s the impact of non-compliance?

Organizations can be fined up to 4% of annual global turnover (revenue) for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts (taking privacy into account throughout the whole engineering process). It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. 

• Data subjects are living EU citizens to whom personal data relates.
• Organizations within and outside Europe leveraging EU data subjects must be GDPR compliant.
• Controllers or organizations that collect data and determine the use, conditions and means of processing personal data must be GDPR compliant.
• Processors or organizations that process data on behalf of controllers must be GDPR compliant.

Data Subject rights, and other key requirements of GDPR

The GDPR strengthens existing privacy and security requirements such as notice and consent, technical and operational security measures, and cross-border data flow mechanisms. It’s built on established and widely accepted privacy principles such as purpose limitation, lawfulness, transparency, integrity and confidentiality.

The GDPR also formalizes new privacy principles such as accountability and data minimization, which are reflected throughout the text, included in the following requirements:

Data security
Companies must implement an appropriate level of security, encompassing both technical and organizational security controls to prevent data loss, information leaks, or other unauthorized data processing operations. The GDPR encourages companies to incorporate encryption, incident management, network and system integrity, availability and resilience requirements into their security program.

Data breach notification
Companies must inform their regulators and/or the impacted individuals without undue delay after becoming aware that their data has been subject to a data breach.

Security audits
Companies will be expected to document and maintain records of their security practices, audit the effectiveness of their security program, and take corrective measures where appropriate.

Data Subject Rights

Data Subjects are the individuals to whom personal data relates, e.g. your customers or Oracle’s customers. Under the GDPR Data Subjects have the following rights:

1. Right to be informed
This encompasses an obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasizes the need for transparency over how personal data will be used. The information about the processing of personal data must be:

- Concise, transparent, intelligible and easily accessible.
- Written in clear and plain language, particularly if addressed to a child.
- Free of charge.

​2. Right of Access
Part of the expanded rights of data subjects outlined by the GDPR is:

- The right for data subjects to obtain from the data controller confirmation as to whether personal data concerning them is being processed, where, and for what purpose.
- The controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

3. Right to Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the personal data in question is disclosed to third parties, individuals must be informed of the rectification where possible. Data controllers must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

4. Right to Erasure
Also known as the “right to be forgotten,” the right to erasure entitles the data subject to:

- Have the data controller erase his/her personal data.
- Cease further dissemination of the data.
- Potentially have third parties halt processing of the data.

The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

5. Right to Restrict Processing
Under the Data Protection Authorities (DPA), individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, data controllers are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future.

6. Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

7. Right to Object
Individuals have the right to object to:

- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
- Direct marketing (including profiling).
- Processing for purposes of scientific/historical research and statistics.

8. Right in Relation to Automated Decision Marketing and Profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.

How is Oracle prepared to help?

Oracle is committed to helping our customers comply with the new GDPR requirements with more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Oracle successfully manages critical business data for thousands of CX customers and tens-of-thousands of SaaS customers globally.

The Oracle CX Cloud Suite provides a consistent and unified data protection regime for global businesses. Built-in privacy and security features put users in control of the personal data they handle, helping them to build consumer trust. We're also actively engaged in product reviews to further assess which additional features and functionalities can be embedded into our applications or made available to our customers.

Collecting Personal Data
Oracle enables companies to capture personal data across different channels. Business users can incorporate mechanisms that enable their end-user customers to make informed decisions about the use of their personal data as part of these data capture processes. Oracle CX Cloud Suite provides controls that can be configured to meet specific business requirements such as when someone is visiting your website, submitting a web-form, or sharing personal data across social media channels.

Managing Personal Data
Today’s businesses capture vast amounts of personal data. Marketing, sales and commerce teams require powerful tools that enable them to manage this data at scale. The Oracle CX Cloud Suite provides a comprehensive portfolio of features that make it easy for teams of users and consumers to manage personal data. This includes the ability to update personal data on request, as well as securely transfer personal data at scale leveraging modern APIs and Secure File Transfer Protocol (SFTP) mechanisms. 

Protecting Personal Data 
Businesses have a responsibility to secure personal data to protect the integrity of their customers. The Oracle CX Cloud Suite is built with native, state of the art data security mechanisms and controls derived from ‘privacy by design and privacy by default’ principles. These capabilities include encryption, anonymization and more, to protect personal data at the highest possible standard. Granular access controls enable organizations to distinguish which individuals or groups should have access to personal data.

Additional GDPR Resources

GDPR Compliance with Oracle Cloud Applications Download this paper to understand how Oracle Cloud Applications can be utilized for GDPR compliance.

Security Solutions

If you have additional data privacy and security needs beyond the standards and options built into SaaS, PaaS or IaaS, Oracle offers additional cloud security solutions and options. These solutions are designed to protect data, manage user identities, and monitor and audit IT environments. Oracle Cloud customers can also select additional Managed Security Services (MSS) to leverage Oracle expertise in deployment and security technology management to further accelerate your path to GDPR compliance.

GDPR Compliance with Oracle Database Security Products - Download this paper to understand how Oracle Database Security technology can be utilized for GDPR compliance.

Visit Oracle's GDPR Resource Center