10 reasons why North American companies should care about Europe’s GDPR
As of May 25, 2018, the European Union’s Global Data Protection Regulation (GDPR) data protection law extends to all companies processing data of EU residents, including businesses based in North America. GDPR creates a new set of digital rights that puts the consumer in control of their personal data. The comprehensive mandate requires more than just managing a customer database. Information in marketing, human resources, IT and supply chain may also be affected. And with significant fines for non-compliance, GDPR cannot be ignored. In this article, we have summarized 10 common myths about GDPR to help North American business leaders understand how the regulation impacts them.
1) GDPR doesn’t apply to North American companies
Yes, it probably does. If your company does business with European citizens, you need to pay attention to GDPR. Did you have an Austrian citizen purchase a ticket and travel on your airline? Did you have a German citizen book a hotel through your website? Do EU citizens order merchandize from your company website? Did your hospital treat a Belgium citizen visiting the U.S.? Do you have suppliers based in an EU country? If you answered yes to any of these examples, GDPR may apply – no matter where the transaction happens.
2) We look at the GDPR fines as a cost of doing business in Europe
The EU Parliament made non-compliance an expensive proposition. There are 37 finable articles and companies can be fined a maximum of up to 4% of their annual revenues or €20 million (approximately $25 million USD) against each article. There is a tiered approach to fines so the maximum penalty may not apply to the first violation. However, if a company repeatedly ignores GDPR regulations, the fines will be substantial and the local Data Protection Authority can suspend a company from data processing.
3) We don’t have any EU residents in our customer database
GDPR applies to both structured and unstructured data, which means it affects more than just traditional databases. Unstructured data includes emails, photos, word processing documents, presentations, webpages and video files. It is also information that does not traditionally reside in a row/column format. Experts estimate that 80-90% of data in any organization is unstructured. And unstructured data usually grows exponentially when compared to the growth of structured databases.
4) North Americans aren’t as worried about protecting their data
Customers care about their data. In the U.S., 59% of internet users said their most concerning issue about their online usage is cybercrime such as having money or personal information stolen. Data and privacy breaches cause a lack of trust between you and your customer. Under GDPR, you can only collect the information you need to complete a transaction. Consumers can request to see the details you have on file and correct any mistakes. They can also ask you to transfer data to another organization under certain conditions. GDPR puts control of personal data in the hands of the consumer.
5) Companies outside the EU can wait to report a data breach
In 2017, Equifax security systems were compromised and their database breached. It is estimated that the names, addresses, Social Security Numbers and credit card numbers of more than 140 million Americans were accessed during the attack. Equifax waited six weeks before it reported the breach and the extent of the data accessed may never be known. Under GDPR, a company has 72 hours to report after a breach has been detected. In fact, the Data Controller has a legal obligation to notify the authorities within this timeframe. Companies are also required to notify people affected by the breach. The most fundamental principle of the GDPR is the obligation to process personal data “lawfully, adequately, accurately and securely.”
6) As long as we don’t have a person’s name, we can collect information on EU citizens
GDPR expands the definition of personal data and a person’s name is not considered the sole identifier. Photos, medical records, financial status, fingerprints, banking details, social media posts and more can be used to identify a person. It can relate to a person’s personal or professional life. If you are collecting information on EU citizens that could be used to identify them, you need to comply with GDPR.
7) We made the font size bigger on our consent form
There are no more “tick” boxes on lifetime consent forms. GDPR strengthens the condition of consent in favor of the
consumer. The days of small type and scrolling through a massive amount of text are gone. Companies will no longer be allowed to use consent forms filled with legal jargon that is incomprehensible to the average person. The request for consent must be in clear and plain language in a format that is readable. For sensitive personal data, only the “opt-in” option will be considered sufficient for consent.
8) The “Right to be Forgotten” will just mean we delete a record
Under GDPR, consumers are given control over their data and this includes being “forgotten” by a company. However, depending on how you use the data, simply deleting a name may not be enough to get rid of all the identifiers or may impact other data in your systems. The right to be forgotten needs more planning than a delete key.
9) We can wait to appoint a Data Protection Officer (DPO) once we have a breach
While not every company requires a DPO under GDPR, it is recommended they are appointed as quickly as possible. It can take up to one year to perform data analytics and review culture behavior to drive process change in most large organizations. The DPO required under GDPR is a serious position and can either be an employee or third-party contractor. They need to have expert knowledge on data protection law and practices, must have appropriate resources to do their job and keep up-to-date on security, report to the highest level of management and not have any conflicts. They also need to maintain a Data Protection Register and report all data breaches.
10) Our IT department will figure it out by the deadline
GDPR affects more than just your IT department. It impacts business processes across an organization. Business change is going to be part of becoming GDPR compliant. According to Dimensions Research in 2017, 61% of U.S. privacy professionals have not begun their GDPR implementation and 98% say they require additional investments to comply. The same survey showed that 23% of large U.S. companies expect to spend more than $1M to comply with GDPR. It is a significant investment of time, resources and budget and it cannot simply be handled by IT. GDPR is about establishing good data privacy practices.
Written by Philip Higginbotham, Principal – Insights & Data Practice at Capgemini and Philip A. Jones, North America GRC Practice Leader – GDPR COE at Capgemini
Intelliwave SiteSense boosts APTIM material tracking
“We’ve been engaged with the APTIM team since early 2019 providing SiteSense, our mobile construction SaaS solution, for their maintenance and construction projects, allowing them to track materials and equipment, and manage inventory.
We have been working with the APTIM team to standardize material tracking processes and procedures, ultimately with the goal of reducing the amount of time spent looking for materials. Industry studies show that better management of materials can lead to a 16% increase in craft labour productivity.
Everyone knows construction is one of the oldest industries but it’s one of the least tech driven comparatively. About 95% of Engineering and Construction data captured goes unused, 13% of working hours are spent looking for data and around 30% of companies have applications that don’t integrate.
With APTIM, we’re looking at early risk detection, through predictive analysis and forecasting of material constraints, integrating with the ecosystem of software platforms and reporting on real-time data with a ‘field-first’ focus – through initiatives like the Digital Foreman. The APTIM team has seen great wins in the field, utilising bar-code technology, to check in thousands of material items quickly compared to manual methods.
There are three key areas when it comes to successful Materials Management in the software sector – culture, technology, and vendor engagement.
Given the state of world affairs, access to data needs to be off site via the cloud to support remote working conditions, providing a ‘single source of truth’ accessed by many parties; the tech sector is always growing, so companies need faster and more reliable access to this cloud data; digital supply chain initiatives engage vendors a lot earlier in the process to drive collaboration and to engage with their clients, which gives more assurance as there is more emphasis on automating data capture.
It’s been a challenging period with the pandemic, particularly for the supply chain. Look what happened in the Suez Canal – things can suddenly impact material costs and availability, and you really have to be more efficient to survive and succeed. Virtual system access can solve some issues and you need to look at data access in a wider net.
Solving problems comes down to better visibility, and proactively solving issues with vendors and enabling construction teams to execute their work. The biggest cause of delays is not being able to provide teams with what they need.
On average 2% of materials are lost or re-ordered, which only factors in the material cost, what is not captured is the duplicated effort of procurement, vendor and shipping costs, all of which have an environmental impact.
As things start to stabilise, APTIM continues to utilize SiteSense to boost efficiencies and solve productivity issues proactively. Integrating with 3D/4D modelling is just the precipice of what we can do. Access to data can help you firm up bids to win work, to make better cost estimates, and AI and ML are the next phase, providing an eco-system of tools.
A key focus for Intelliwave and APTIM is to increase the availability of data, whether it’s creating a data warehouse for visualisations or increasing integrations to provide additional value. We want to move to a more of an enterprise usage phase – up to now it’s been project based – so more people can access data in real time.