GDPR is coming into force on May 25, 2018, and we are READY. Here is everything you need to know.
What is GDPR
GDPR is an acronym which stands for General Data Protection Regulation. The new data protection law is designed to give individuals better control over their personal data, and to establish a unified approach to online privacy across the European Union. In other words, GDPR is actually a standard for the handling of private information, with some related legal implications–not unlike HIPAA and SOX. It is important to point out that although the new standard is only applicable in Europe, organizations located outside EU are also subject to these regulations when dealing with EU citizens.
What Makes GDPR Different
GDPR transfers the responsibility over users’ information and privacy from individuals to the organizations which cater to them. In this way, under the new regulations, organizations will be required to be able to provide clear proof of consent, in order to collect and hold on to users’ information. The regulations also limit the type of information which may be collected, to support specific, clear and legitimate purposes.
In addition, GDPR dictates that organizations have to provide users with a comfortable way to withdraw their consent at any time, and to limit the time their data is retained, once the reasons for its collection no longer apply. In short, by requiring businesses to be more proactive in protecting their customers’ data, these regulations are meant to put the onus of proof on organizations and prevent them from abusing their power over individuals.
Why is Everybody So Anxious
SaaS providers are anxious about the GDPR, because while it is quite easy to determine where their end users come from EU countries not, providing two versions of the same product is not. Also, maintaining two completely separate systems for marketing and managing customers significantly raises the required investment, in terms of money and time.
The more viable (and therefore more probable) strategy to adapt to the new regulations is to make sweeping changes, which will completely alter the way organizations handle themselves in the market. It also means “game over” for organizations which will not be able to adapt to the new situation and maintain their profitability.
GDPR and Iridize
Iridize complies with the regulations and restrictions of GDPR, and allows its clients to enjoy the full benefits of its system, without jeopardizing the safety of their data and that of their clients and employees.
The aspects of privacy that GDPR addresses may be divided into three elements:
Data Collection, Data Use and Data Retention. Iridize complies with all aspects of the new regulations. That is why when May 25 rolls around, our clients will be able to continue using Iridize without a glitch. Here is how:
Data Collection: At its very core, Iridize is a system for content creation and delivery. As such, it is inherently GDPR compliant – meaning it requires no data accumulation in order to function. In addition, our system does not stand on its own. It is a layer added onto a pre-existing product. The practical meaning of this is that, as a product for training and technical onboarding, we do not impede on users’ privacy to begin with. Therefore, we naturally comply with GDPR regulations.
To be sure, our product does collect some data. None of it, however, is private, identifiable, or of the kind which may be traceable back to a specific person. In this way our users’ privacy is retained. But the anonymity of the end-users does not mean that our clients do not receive a wealth of useful information, which could be used to improve the learning process.
Data Use: GDPR does not only restrict the data which may be justifiably collected, but also what can be done with it. The data we enable our clients to compile is directly related to the purposes of our system. Our clients can see how their end-users handle themselves through the process of onboarding and/or professional training. This information may then be utilized to constantly improve the users’ experience and proficiency.
In this respect, Iridize does not only follow the privacy law itself, but its spirit as well. Users are not tagged for remarketing, they are not followed around the web, and whatever data is collected about their onboarding or training process is not of the kind which may come into conflict with the privacy law.
Data Retention: As mentioned above, one of the key elements in the GDPR regulations is the limit set on data retention, even after it has been collected legally, with the end-users’ consent. This is problematic not only because it forces organizations to give up and destroy data, but because it does so differentially. Each end-user must be able to decide how long he wants his data to be kept. Each additional option complicates the handling of data, and the level of security required. However, because the data collected by Iridize is anonymous, and very goal-oriented, there is currently no limit on the amount of time it may be retained. This too significantly reduces the level adaptation which might otherwise be required of our clients’ own GDPR compliance.