In May 2018, a new European Data Privacy Act is being enforced: the GDPR. Some refer to this as THE BIGGEST change to European privacy laws ever being made. Others say it’s a path to revolution. Regardless, businesses around the globe are rushing to become compliant in time, or they risk facing heavy sanctions.
As of May 25th, 2018, the European Union General Data Protection Regulation (GDPR) comes into force.
Basically, that means the EU regulation will refurbish the way businesses process handle their data and force them to make it more accessible for users. Companies no longer have the right to use user data as they wish. This is done to have ONE set of data privacy rules across the whole of Europe. But not only does it affect European companies at that. Any corporation wishing to have business with any European organization is contained under the GDPR.
GDPR for data privacy
With the statement that privacy and data protection are both fundamental rights, the European Union has decided to make sure that its somewhat 510 million people now will have the same legal and digital framework. The GDPR was decided upon to protect the privacy of people. The buzz around the internet, however, continues to focus on that the regulation has not had the best of companies in mind (if they even spared a thought to how it affects organizations.) Regardless, major companies have understood it is time to get in line and follow the regulations.
Just recently Facebook’s chief privacy officer, Erin Egan, posted a complete breakdown of the company’s “privacy principles”. She stated their users are completely in charge of their own shared data. One can assume that this post comes is in line with the upcoming GDPR act, showing that Facebook complies with the regulations. And normally when Facebook does, the rest of the world follows.
The two-year grace period companies have had since the GDPR was ruled on is now over. It is time to get down to business! After the 25th of May this year, organizations face major fines if they don’t comply with the new regulations.
The new and improved data privacy rules
This shiny packaging of data privacy regulation is nothing new. Data sharing has been on the EU’s agenda for quite some time, though it’s been like playing monopoly with ludo pieces. No one knew exactly what was going on before. Now a step has been taken to ensure there is only one set of rules for all players, making it “simpler” for everyone to understand.
Calling this change THE BIGGEST EVER in European history is not even a far stretch. Keep in mind, the EU data privacy laws were only created in the ’90s… Even so, there are some major factors that will change as of now:
- New, stronger rights for people to access the information companies hold on them
As a private person, one has the right to be informed about the data held. The rights also cover to get access, to erase, right to object to the content as well as the right to not be subject to “automated decision making” (profiling) etc.
- New obligations are implemented for better data management among business
Amongst other regulations, these obligations include a clear responsibility path for how organizations obtain individual’s consent before collecting their information.
There are also two different terms to learn; Controller and Processor. A controller is a person or group that decides the purpose of the use of personal data The processor is the person or group that processes the data on behalf of the controller. Aside from a scenario where direct contractual obligations are enforced on behalf of the controller, processors won’t be held liable for loss or exposure of information.
- New regime of heavy fines if regulations are not complied with
One of the most talked-about changes when the GDPR is being enforced is all the fines businesses could possibly be facing.
If companies do not process an individual’s data in the correct way, they can be fined. If they don’t have a data protection officer but need one, they can be fined. If there’s a security breach and no notification about it is done, they can be fined… The list goes on.
And moneywise it’s no talk about pennies or cents… Small offenses could result in fines up to 2% (or €10 million) of a company’s global turnover. Larger offenses with more serious consequences can result in fines up to 4% (or €20 million) of the global turnover.
(Click here to read all the 88 pages of the EU GDPR legislative act from 2016.)
Say hello to my little friend – GDPR
When Akin Gump Strass Hauer & Feld published their Top 10 Topics for Directors in 2018 the GDPR and cybersecurity were widely discussed subjects. They listed the best practices to go forward and put a strong emphasis on engaged senior management and employee training as well as detailed instructions and guidelines on how to handle the loss of sensitive information. Something many companies already focus on strongly.
Considering that your business has already prepared for the transition, here are 3 further steps to welcome and become friends with GDPR.
- Stage 1 – Change your mindset!
To adapt to the GDPR, one should not only follow the rules. Data privacy and cyber security should not be a priority – it should be a mindset; and actions must be taken starting from the bottom of a company, finishing at the executives and the board members. Teaching employees how to handle personal data and how to regard privacy is now key in corporate governance.
- Stage 2 – Be aware before you share!
The time & age now is the one of Big Data. Personal information is a moneymaker compared to “the new oil”. Companies monetizing from dealing with personal data now need to know what is allowed (and supposed) to be done before following routines from previous years. There will be ways to comply and not lose important earnings, one just needs to follow the right paths.
- Stage 3 – Choose the right provider!
When selecting a software security solution, businesses should choose providers who can inform them about where their servers are situated. According to the GDRP, data transfer to a third party outside the EU that does not have adequate data protection standards is only allowed under exceptional circumstances. Therefore, a server located in Europe (or one of the other 11 countries that meets EU standards) is crucial.
DiliTrust at your Service
DiliTrust is the leader in governance solutions and has its servers located in Europe and Canada. You can therefore trust us to comply with the EU’s GDPR. In addition, with the DiliTrust software solutions, you can easily manage and share all your new routines anywhere, at any time. Contact us today to find out how we can help you adapt to the new data privacy regulations.