Hi. I'm Colin Truran, principal technology strategist at Quest. And today, we're going to talk about GDPR. This is the first of three videos, and we're going to talk about why GDPR is important to organizations.
So the first thing is to understand what's at stake here is risk. Everyone is looking at risk here, and the risk comes from a much broader scope of what GDPR covers as far as personally-identifiable information. PII includes precious is things like IP addresses, photographs, anything that can be used individually or together, collectively, to identify an individual.
And then another significant risk isn't just from the fines that are being levied to organizations that fail GDPR. We've heard about it 4%, 20 million, or 2%, 10 million, whichever the greater. But it's the litigation and class action that GDPR brings that's also quite an important risk factor for organizations, and those individuals at the organizations
Another big problem, again, with GDPR is the publicity, the fallout. If you get this wrong, there's going to be a lot of publicity around it. And that's going to affect you in so many ways.
For one thing you're going to get a lot of demands from data subjects asking what information do you hold on them. They're going to be asking to transfer, to be forgotten, or erased is the correct term, as well as market share and doing business with other organizations. If you are a processor for another organization, they will not be looking to you for the next load of processing that you need to do moving business.
So what do organizations need to do? They're going to need to invest. GDPR is about a process. But there are investments that will be needed to make to get an expertise around GDPR, invest in education, and invest in solutions to help solve the problems of GDPR modernization.
So we talked about education, but awareness is a big part of GDPR. All organizations need to make sure that everyone is familiar with what GDPR stands for, what personally-identifiable information is, and what their role in that cycle is. But there's advantages to GDPR.
For one thing, we are going to see savings. Savings with regard to the amount of data that you're storing. The accuracy of that data so it's being used better, so you're getting better returns on anything doing with that data. You're going to be, hopefully, able to make sure that individuals accept that they are going to be mailed or contacted using their information, because they have the right to remove that permission under GDPR. So those you're contacting are going to be happy to be contacted, and you're going to be doing it in the right way.
So finally, it's a fantastic opportunity for organizations to actually stand out. To be better than their competitors, to support GDPR. And also to do the right thing to actually protect the data subjects.
So what are the seven tenants of GDPR, the seven principles behind GDPR? Firstly, accuracy of data. Very important. Making sure that information you hold is correct.
We're going to make sure of the integrity of that data. So it's not been tampered with, it can't be tampered with. It remains accurate and useful. It's also confidential as well, making sure that it doesn't escape the organization.
We want to make sure that there are storage limits. You're not keeping the data for longer than you should do, or is necessary. You're going to make sure that the purpose of limitation. So making sure that it's being used in the right way.
Data minimization. So not only looking at the length of time that you're keeping the data, but also how much data storage you're storing Do you need all of that information that you hold on a data subject? Remove what you don't need, because it reduces the security risk, it reduces the footprint.
We need to make sure that we're lawful, that we're fair in our processes, and we're transparent and open in our processes with our data subjects. And then finally, accountability. Make sure that we have someone, that an organization has a process in place, to make sure that they know who is responsible for what, and we can identify what needs to be done.
So let's move on. Business and personal risk. We mentioned that GDPR now has the provision for litigation and class action, what GDPR also does is it turns it on its head.
No longer does a data subject have to prove the guilt or failure of an organization. Under GDPR, or an organization needs to prove its innocence. So that's a key area. And litigation is personal as well. So make sure that we understand that it's not just the organizations with those big fines that we keep mentioning if they fail to do anything for GDPR, but litigation and class action is a really big head.
Don't leave it to the last minute. Start processing and working on GDPR now. Because if you fail, you will hit those big fines, and they will make an example. So don't be the worst by being the first to fail. And also, remember that litigation gets personal.
So finally let's have a quick recap about risk. What risk GDPR poses. And where does risk and blame fail, and where does it need to be attributed to?
Before GDPR, it used to be possible to actually say, as a data controller, I pass on that risk and responsibility to my data processor. That doesn't happen under GDPR. I still have that responsibility.
So now, I need to look at all of my processes, internally and externally, to see whether they pose a significant risk. So they need to document to make sure that they actually understand their own risks and their own processes. Prove that to me.
And I need to do that for every step of the process, all my processes in the chain. And they need to do it for their processes in the chain. So this is going to drive a huge risk assessment and reevaluation of who you're doing business with.
So thank you very much. That's the first of three videos that are introducing GDPR.