What is GDPR?
The European Union (EU) introduced its previous data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Since the EU requires each member state to implement a directive into national law, Europe ended up with a patchwork of different privacy laws across different countries. In addition, increasing security breaches, rapid technological developments, and globalization over the last 20 years saw new challenges for the protection of personal data come to the forefront. In an effort to address this situation, the EU developed the GDPR, which is directly applicable as law across all member states.
GDPR—data security
The GDPR was built on established and widely accepted privacy principles to strengthen existing privacy and security requirements, including requirements for notice and consent, technical and operational security measures, and cross-border data flow mechanisms.
Security and protection of the customer data are shared responsibilities between the customer and Oracle. Likewise, privacy compliance is also a shared responsibility between Oracle and the customer.
This shared responsibility in the context of the GDPR is defined by three key actors:
- Data subject: An individual whose personal data is gathered and processed by the controller
- Controller: An entity that determines the purposes and means by which the data is processed
- Processor: An entity that only processes data at the controller’s command
Why GDPR matters to Oracle and our customers
Once it goes into effect, the GDPR will apply broadly to companies that:
- Are based both inside and outside the EU
- Collect and handle personal data from EU-based individuals
Personal data, also known as personal information or personally identifiable information in other parts of the world, is defined as any information relating to an individual that can be directly or indirectly identified, for example, by reference to identifiers such as:
- Names, identification numbers, and/or location data
- Online identifiers, or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity
The world has changed for companies collecting and handling personal data in the EU, both offline and online (that is, involving ecommerce or online advertising activities), due to:
- New and strengthened rights for individuals
- Accountability requirements for companies
- Increased scrutiny by regulators.
Therefore, companies collecting and handling personal data in the EU will need to consider and manage their data handling practices and use cases more carefully than ever before.
What are the key requirements of GDPR?
The GDPR was built on established and widely accepted privacy principles, such as purpose limitation, lawfulness, transparency, integrity, and confidentiality. It strengthens existing privacy and security requirements, including requirements for notice and consent, technical and operational security measures, and cross-border data flow mechanisms.
To adapt to the new reality of a digital, global, and data-driven economy, the GDPR also formalizes new privacy principles, such as accountability and data minimization, which are reflected throughout the text, including in the following requirements:
- Data security. Companies must implement an appropriate level of security, encompassing both technical and organizational security controls, to prevent data loss, information leaks, or other unauthorized data processing operations. The GDPR encourages companies to incorporate encryption, incident management, and network and system integrity, availability, and resilience requirements into their security program.
- Extended rights of individuals. Individuals have greater control—and ultimately greater ownership of—their own data. They also have an extended set of data protection rights, including the right to data portability and the right to be forgotten.
- Data breach notification. Companies have to inform their regulators and/or the impacted individuals without undue delay after becoming aware that their data has been subject to a data breach.
- Security audits. Companies will be expected to document and maintain records of their security practices, to audit the effectiveness of their security program, and to take corrective measures where appropriate.
Accelerate your path to GDPR compliance with Oracle
Oracle is committed to helping you develop a strategy to achieve GDPR security compliance. Oracle has more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. Trusted globally, Oracle Cloud solutions have a proven track record, serving leading businesses in 175 countries. Oracle successfully manages critical business data for more than 25,000 SaaS customers throughout the world—across finance, HR, supply chain, and customer experience (CX)—on a daily basis.
Oracle Cloud Applications customers can take advantage of Oracle’s vast experience in the cloud. Over the years, Oracle has invested the resources and designed controls and processes to expertly develop and manage its applications, databases, servers, and infrastructure across the entire cloud technology stack. Oracle gives its customers a SaaS advantage by offering the most complete suite of cloud applications—designed to be secure at every layer—for their entire business. Oracle Cloud applications can reduce risk and offer simplicity, with a single set of policies and standards for your business processes. In a constantly changing regulatory landscape, Oracle Cloud applications can help your organization address regulatory compliance more efficiently and easily.
Find out more about how Oracle Cloud applications can help accelerate your GDPR readiness.
How does GDPR impact Oracle Marketing Cloud?
Organizations around the world are continuing to focus on ensuring their systems, processes, and policies support GDPR guidelines. Marketing teams continue to be tasked with implementing changes in the way they manage processes, people, and technical controls in order to comply with the legislation. Oracle Marketing Cloud welcomes the positive changes the GDPR has brought to our services and we remain committed to helping our customers address GDPR requirements that are relevant to our products and services, including any applicable processor accountability requirements. Many of our services already have built-in privacy and security features to put our customers in control and to help build consumer trust.
Advanced security solutions and options for SaaS, PaaS, and IaaS customers
If you have additional data privacy and security needs beyond the standards and options built into software-as-a-service (SaaS) applications, or you use platform as a service (PaaS) or infrastructure as a service (IaaS), Oracle offers additional cloud security solutions and options. These solutions are designed to protect data, manage user identities, and monitor and audit IT environments. Oracle Cloud customers can also select additional Managed Security Services to leverage Oracle expertise in deployment and security technology management to further accelerate or enhance GDPR compliance.
Oracle Marketing Cloud comes prepared to support your GDPR requirements
As part of our commitment to help customers address GDPR requirements, Oracle Marketing Cloud comes packaged with a robust set of built-in privacy and security features that put marketers in control of the personal data they handle and helps them build consumer trust. These native capabilities span the broader Oracle Marketing Cloud portfolio and can be grouped into these categories:
| Collecting Personal Data | Oracle Marketing Cloud enables marketers to capture personal data across many different channels. As part of these data capture processes, marketers have the ability to incorporate mechanisms that enable their customers to make informed decisions about the use of their personal data. Whether someone is visiting your website, submitting a web form, or even sharing personal data across social media channels, Oracle Marketing Cloud provides controls that can be configured to meet specific business requirements. |
| Managing Personal Data | As today’s businesses capture vast amounts of personal data, marketing teams require powerful tools that enable them to manage data at scale. Oracle Marketing Cloud provides a comprehensive portfolio of features that makes it easy for marketers and customers to manage personal data. This includes the ability for marketers and customers to update personal data on request, as well as to securely transfer personal data at scale, leveraging modern APIs and SFTP mechanisms. |
| Protecting Personal Data | Businesses hold a responsibility to secure personal data to protect the integrity of their customers. Native to Oracle’s core business, Oracle Marketing Cloud provides state-of-the-art data security mechanisms and controls derived from privacy by design and privacy by default principles. These include capabilities like encryption, anonymization, and more to protect personal data at the highest possible standard as well granular access controls that enable organizations to distinguish which individuals or groups should have access to personal data. |
