In 2016, the EU adopted new data protection legislation that will replace the current data protection laws currently in force within Europe. The new regulation is known as the General Data Protection Regulation (or GDPR in short) and is hailed as the biggest change in data protection law in the EU in the last 20 years. The new laws cover numerous key issues relating to personal data stored and used by business, but also (finally) harmonises the all the different shades and colours that exist today within each member state into one uniform set of rules for all businesses.
GDPR Overview
The new GDPR regulations will replace the existing data protection laws within the EU (known as Directive 94/46/EC) on the 25 May 2018. On this day, the new laws will apply, which means that you are expected to review and comply your business between now and then.
Does it apply to me?
GDPR applies to all organisations operating within the EU and processing personal data of EU citizens. By personal data we mean any information that is collected, stored or used by your business that relates to identified persons, such as your customers or sales leads.
What does the new law say?
The new regulations amplify on the previous data protection laws by giving new rights to citizens as well as new obligations for organisations in terms of how they use personal data. GDPR also establishes penalties in the form of fines of up to 4% of annual global turnover for infringements. It is also important to note that these penalties also apply to both data owners (controllers) as well as handlers (processors). This means that cloud solutions are not exempt and must be considered as an integral part of the whole business data landscape.
Key Points
Although the key principles of data privacy to protect personal information remains unchanged from the previous laws, many changes have been introduced covering policies to be adopted by businesses to achieve compliance. Here are some of the most important:
Territorial Scope
The new laws now cover all businesses processing data of EU residents, regardless of their location. This means that GDPR now also applies to organisations established outside of the EU where they are serving or collecting data from customers within the EU.
Consent
A key compliance condition established by GDPR is the need to obtain clear consent from individuals when collecting their data. The consent must inform people of the purpose for the holding of their data and must also enable them to grant, deny as well as withdraw their consent at any time in the future. The wording of such a consent should not be hidden in long and complex legal small print, but must be presented in an easily readable form.
Organisations should take this opportunity to review and update their published Data Privacy Policy (yes, you should have one by now!) with the aim of being transparent about the way you collect and use their personal data as well as to present this important document in a simple and clear manner. Whilst the document carries legal weight, it must also be easy to understand by customers at the point where they are asked for their consent.
Breach Notification
In the case that a data breach occurs, you are now required by law to inform the data protection authorities without the delay. Third party data processors, such as your cloud vendor, is also required to inform data controllers (your organisation) if their become aware of any data breach immediately.
Data Erase
An individual will now have the right to be “forgotten” by an organisation, forcing it to erase their personal data entirely. The right to erase their data is triggered upon a request by the individual, but also in the case that the original purpose for processing their data changes.
Data Format
GPPR proposes a new common data format that can be used to transmit personal data back to customers should they request it. It will now be a right for any individual to request a copy of their data as held by an organisation.
Privacy Process
The need for organisations to think of ways to keep customer data private and safe is now also enshrined into the law. Techniques and technologies such as data encryption and access control are some of the measures organisations may take to “implement appropriate technical and organisational measures … to meet the requirements of this Regulation and protect the rights of data subjects”. This effectively means that an organisation must think long and hard about how it keeps and handles personal data as any careless or inappropriate processes may constitute a breach of their data security standards.
What’s the Next Step?
Webcraft welcomes the introduction of the new GDPR as it removes ambiguities and loopholes that previously caused confusion in the way organisations should manage personal data. We believe that the new regulations will help protect citizen’s information on the Internet as well as within organisations in general.
Our cloud based services, particularly our WorkSpace Cloud business software platform can play a key role in helping our customers achieve compliance and stay ahead of the requirements set out in the law. Our software is already designed to comply with the core data privacy principles, ensuring that sensitive data is stored and processed safely and already provides the key tools and facilities for your organisation to implement its privacy policy.
We also understand that the new laws span a wide range of technologies and business processes that differ between organisations. We therefore can assist you to review and collect your specific data privacy requirements and to design the right data privacy policy based on our cloud tools and industry best practices in time for the May 2018 deadline.
Get in touch with us today to find out more about how we can assist your organisation.
Learn more about GDPR at eugdpr.org