In May 2018, a new European Data Privacy Act is being enforced; the GDPR. Some refer to this as THE BIGGEST change to European privacy laws ever being made. Others say it’s a path to revolution. Regardless, businesses around the globe are rushing to become compliant in time, or they risk facing heavy sanctions.
As of May 25th 2018, the European Union General Data Protection Regulation (GDPR) comes into force.
Basically, that means the EU regulation will refurbish the way businesses process handle their data and force them to make it more accessible for users. Companies no longer have the right to use user data as they wish. This is done to have ONE set of data privacy rules across the whole of Europe. But not only does it affect European companies at that. Any corporation wishing to have business with any European organisation is contained under the GDPR.
Let’s get down to business
With the statement that privacy and data protection are both fundamental rights, the European Union has decided to make sure that its somewhat 510 million people now will have the same legal and digital framework. The GDPR was decided upon to protect the privacy of people. The buzz around the internet however, continues to focus on that the regulation has not had the best of companies in mind (if they evenspared a thought to how it affects organisations.) Regardless, major companies has understood it is time to get in line and follow the regulations.
Just recently Facebook’s chief privacy officer, Erin Egan, posted a complete breakdown on the company’s “privacy principles”. She stated their users are completely in charge over their own shared data. One can assume that this post comes is in line with the upcoming GDPR act, showing that Facebook complies to the regulations. And normally when Facebook does, the rest follows.
The two year grace period companies have had since the GDPR was ruled on is now over. It is time to get down to business! After the 25th of May this year, organisations face major fines if they don’t comply to the new regulations.
The new and improved data privacy rules
This shiny packageing of data privacy regulation is nothing new. Data sharing has been on the EU’s agenda for quite some time, though it’s been like playing monoploy with ludo pieces. No one knew exactly what was going on before. Now a step has been taken to ensure there is only one set of rules for all players, making it “simpler” for everyone to understand.
Calling this change THE BIGGEST EVER in European history is not even a far stretch. Keep in mind, the EU data privacy laws were only created in the 90’s… Even so, there are some major factors that will change as of now:
- New, stronger rights for people to access the information companies hold on them
As a private person, one has the right to be informed about the data held. The rights also cover to get access, to erase, right to object to the content as well as the right to not be subject to “automated decision making” (profiling) etc.
- New obligations are implemented for better data management among business
Amongst other regulations, these obligations include a clear responsibilty path for how organisations obtain peoples consent before collecting their information.
There are also two different terms to learn; Controller and Processor. A controller is a person or group that decides the purpose on the use of personal data The processor is the person or group that processes the data on behalf of the controller. Aside from a scenario where direct contractual obligations are enforced on behalf of the controller, processors won’t be held liable for loss or exposure of information.
- New regime of heavy fines if regulations are not complied
One of the most talked about changes when the GDPR is being enforced is all the fines businesses could possibly be facing.
If companies do not process an individual’s data in the correct way, they can be fined. If they don’t have a data protection officer but need one, they can be fined. If there’s a security breach and no notification about it is done, they can be fined… The list goes on.
And moneywise it’s no talk about pennies or cents… Small offences could result in fines up to 2% (or €10 million) of a company’s global turnover. Larger offences with more serious consequences can result in fines up to 4% (or €20 million) of the global turnover.
(Click here to read all the 88 pages of the EU GDPR legislative act from 2016.)
Say hello to my little friend – GDPR
When Akin Gump Strass Hauer & Feld published their Top 10 Topics for Directors in 2018 the GDPR and cyber security was a widely discussed subjects. They listed the best practices to go forward, and put strong emphasis on engaged senior management and employee training as well as detailed instructions and guidelines on how to handle loss of senitive information. Something many companies already have high focus on.
Considering that your business has already prepared for the transition, here are 3 further steps to welcome and become friends with GDPR.
- Stage 1 – Change your mindset!
To adapt to the GDPR, one should not only follow the rules. Data privacy and cyber security should not be a priority – it should be a mindset; and actions must be taken starting from the bottom of a company, finishing at the executives and the board members. Teaching employees on how to handle personal data and how to regard privacy is now key in corporate governance.
- Stage 2 – Be aware before you share!
The time & age now is the one of Big Data. Personal information is a moneymaker compared to “the new oil”. Companies monetising from dealing with personal data now need to know what is allowed (and supposed) to be done before following routines from previous years. There will be ways to comply and not lose important earnings, one just needs to follow the right paths.
- Stage 3 – Choose the right provider!
When selecting a software security solution, businesses should choose providers who can inform them about where their servers are situated. According to the GDRP, data transfer to a third party outside the EU that does not have the adequate data protection standards is only allowed under exceptional circumstances. Therefore, a server located in Europe (or one of the other 11 countries that meets EU standards) is crucial.
DiliTrust at your Service
DiliTrust is the leader in governance solutions and has its servers located in Europe and Canada. You can therefore trust us to comply with the EU’s GDPR. In addition, with the DiliTrust software solutions you can easily manage and share all your new routines anywhere, at any time. Contact us today to find out how we can help you adapt to the new data privacy regulations.
If you enjoyed this read you should also try “Protecting the exchange of confidential documents, a major challenge”.