What Are the Key Requirements of GDPR?
The GDPR was built on established and widely accepted privacy principles, such as purpose limitation, lawfulness, transparency, integrity, and confidentiality. It strengthens existing privacy and security requirements, including requirements for notice and consent, technical and operational security measures, and cross-border data flow mechanisms.
To adapt to the new reality of a digital, global, and data-driven economy, the GDPR also formalizes new privacy principles, such as accountability and data minimization, which are reflected throughout the text, including in the following requirements:
- Data security. Companies must implement an appropriate level of security, encompassing both technical and organizational security controls, to prevent data loss, information leaks, or other unauthorized data processing operations. The GDPR encourages companies to incorporate encryption, incident management, and network and system integrity, availability, and resilience requirements into their security program.
- Extended rights of individuals. Individuals have greater control—and ultimately greater ownership of—their own data. They also have an extended set of data protection rights, including the right to data portability and the right to be forgotten.
- Data breach notification. Companies have to inform their regulators and/or the impacted individuals without undue delay after becoming aware that their data has been subject to a data breach.
- Security audits. Companies will be expected to document and maintain records of their security practices, to audit the effectiveness of their security program, and to take corrective measures where appropriate.
If you would like to learn more about some of the requirements particularly relevant for marketers, please review Oracle’s GDPR for Marketers Marketers white paper, which has more information about the native data privacy and security features provided across Oracle Marketing Cloud.