In recent weeks, my inbox has been filled with daily reminders of how far data privacy has come. The E.U. General Data Protection Regulation (“GDPR”) became effective May 25, and multinational corporations from Target to Twitter have been notifying their customers of the steps they have taken to comply with the new law.
At first that might not seem noteworthy: Under the GDPR, all companies processing personal data of E.U. residents must apply new rigor to their collection and use of that data and adopt a heightened level of transparency. For instance, companies must document the E.U. personal data they collect, the purposes for processing it, and any transfers to third parties. They must also integrate privacy into their businesses by conducting privacy impact assessments for any new activities that might pose a high risk to the privacy rights of E.U. residents. And companies must provide clear notice of how they use personal data and how individuals can exercise their rights regarding their personal data. Hence, the emails.
But I don’t live in the E.U., and the GDPR does not apply to my personal data. So why are all of these companies emailing me?
The answer, I believe, highlights a fundamental shift in how the corporate world is approaching data privacy. Companies across industries are choosing to apply GDPR-compliant policies and practices to all customers no matter where they live. This choice likely is driven by many factors, such as the realization that in a connected world, region-specific policies are no longer practical. But at some level, companies are recognizing the growing importance of privacy rights to all individuals, particularly when it comes to the collection and use of their personal information. Long considered a fundamental right in the E.U., the right to the protection of personal data has appeal outside of the E.U. as well in an age of identity theft, state-sponsored hacking and the exposure of social media. But no matter the reason, the result is the global extension of the E.U.’s new best-in-class law, accelerating the expansion of privacy rights well beyond what regulators alone could accomplish. And likely there is no going back.
Keysight and GDPR
In preparing for the GDPR, Keysight too has taken the global view. Our commitment to operating with uncompromising integrity has long included honoring individual privacy rights and protecting the personal data we hold. Keysight’s Standards of Business Conduct includes a dedicated provision on data privacy, and functional groups within Keysight have maintained specific policies and procedures to ensure that personal data is handled appropriately. To strengthen our existing privacy controls, Keysight has:
- Updated our Customer Privacy Statement and Employee Data Privacy Statement to ensure we are providing clear, transparent notice to individuals about how Keysight collects, processes and transfers personal data;
- Developed a global process to provide individuals access to their personal data, as well as the ability to request correction or deletion of that data;
- Required that all vendors that process substantial personal data on Keysight’s behalf enter into data privacy agreements to govern the transfer and processing of the data;
- Adapted our collection of individual customer contact information to ensure we are meeting GDPR requirements around consent;
- Reviewed and documented Keysight’s personal data processing activities – from marketing to HR to workplace solutions and beyond – to ensure compliance with GDPR principles; and
- Trained each of our [approximately 11,000] employees on the GDPR and its requirements.
GDPR: A shift for the better, globally
It is exciting to witness the advancement of privacy rights in the E.U. and the expansion of those rights beyond E.U. borders. While this means a lot more work for multinational corporations, we are all better for it.