In recent years, we have witnessed misuse of personal data through social networks and data leaks from large organizations. The European Union wants to prevent similar situations and set an example to the world on how to tackle this problem by means of law.
In 2016, a law came into force, replacing and amending original personal data protection laws. The two-year deadline for adapting new business rules is to end in May 2018.
Personal data are defined as data that can be identified with a particular person. CRM systems, feedback forms, emails/photos/certificates, or loyalty programs. Employees, personal assessments, HR systems, etc. are also not to be forgotten.
The act deals with several areas:
Cloud infrastructures make it incredibly easy for companies to switch to GDPR. Also, due to higher security of Cloud (read more) solutions that most companies cannot afford in on-premise version.
However, GDPR is mainly about the process. It is not enough to do something once, it is necessary to constantly work with data according to certain rules, and these vary from company to company. These processes should be adopted as soon as possible. It is necessary to map who handles personal data in the company and how, it must be documented and reporting should be adapted as well.
Another tricky part is of course the software. One thing is how we work with the software (process), another thing is how we process the data. Most commercial systems managing personal data such as CRM will be adjusted to this legislation. For its Cloud solutions, Microsoft offers administrator the tools to identify weak spots - whitepaper is available at this address.
Nevertheless, companies must take care of customized proprietary systems. These systems should be audited as quickly as possible, because their upgrading may cause a change in the company's special process, the adaptation of which may take longer than the adaptation of the system itself.