Companies operating within the European Union (EU) or outside organizations conducting any business in the EU have been scrambling to prepare for the General Data Protection Regulation (GDPR) implementation date of 25 May 2018. With GDPR, Europe is taking a firm stance on the protection of personal data rights for European citizens and within the EU generally. Companies that do not meet GDPR requirements could be fined up to €20 million or up to 4% of the annual worldwide turnover for activities such as, working with data providers who source data not compliant with EU data privacy laws.
Fortunately, a dedicated team at Ekata has been preparing for GDPR for over a year. We have processes and controls in place specifically designed to meet GDPR requirements and plan to roll them out publicly prior to the May 25th implementation deadline.
Ekata’s upstream data sources have been thoroughly vetted to ensure that they have obtained the proper consent from European data subjects so that data can be used in our products and services. Furthermore, Ekata only serves fraud prevention use cases in the EU, providing services to protect companies operating in the EU from fraud and to protect their consumers from identity theft.
One of the most important aspects of GDPR is the data subjects’ right to access, correction, and erasure of their personal information. For example, Article 17 gives data subjects the right to require a data controller to delete their personal data. However, to clarify, the GDPR does not give the data subject the right to be completely “forgotten,” but rather, under certain conditions, the data subject’s right of erasure may itself also be subject to the company’s legitimate interests in retaining and processing the data. Businesses that operate as data controllers should comply with the right to erasure under the following conditions:
- The data subject withdraws the consent on which the processing was based and there is no other legal ground for continuing the processing. (To learn more about legal grounds for processing see GDPR Article 6.)
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for the purposes of direct marketing. (To learn more about the right to object, see GDPR Article 21.)
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with an EU legal obligation to which the company is subject.
Ekata has developed mechanisms to comply with these requirements in the event that a European citizen, or one of our business-to-business customers (on behalf of a European citizen), exercises his or her right to erasure.
GDPR is newer in the landscape, but Ekata has been taking data privacy seriously since our founding 20 years ago. Ekata has been doing business with European companies and data providers for years now. Our data sourcing and data management processes, including our SOC2 policies and procedures have been built around protecting data and supporting data privacy regulations. In that sense, GDPR is just the latest in our ongoing privacy and compliance efforts.