The clock has been ticking and coming up to less than a year to go it’s time to crank out our second article…
After our first blog talking about why you should move to the cloud now, the topic that is in high importance today is the new EU General Data Protection Regulation and how it going to impact your business. Based on that I’ve decided to write the main changes covered in the new regulation in a format anyone can understand and start align your company as soon as possible. So, let’s go?
Four years of discussion and research, and finally on 14 April 2016 the GDPR was approved by the EU Parliament. So, what happens next? The EU General Data Protection Regulation takes place of the Data Protection Directive 95/46/EC and the principal objective is to match data privacy law across Europe. With this in mind, it is the possible guard and empowers all EU citizens’ data privacy and more than that, how companies deal with data protection. Nowadays, the data-driven is completely divergent from the time in which the 1995 Protection Directive was set, and with this in mind, we are going to list the main changes and core points of the new GDPR.
• An Expanded Geographical Scope: Independent of your company location, it applies to all businesses and corporations processing and handling personal data of data subjects existing within the EU. It means that each and every company that is not in EU territories but are addressing consumers inside the EU territory will be under the regulations. This is the main difference from the current directive.
• Penalties: Breaches can be fined up to 4% of annual global turnover or 20 million euros, and this is the higher fine that can be established. Specifies infringements could also impose a 2% of annual worldwide turnover or 10 Million euros in fines. You can view a list the latest fines issued and reasons below.
ICO Website:- http://bit.ly/2jidEQT
• Consent: the main idea is that must be very clear for sensitive data, and for this is needed a controller to show that the consent was given. It is known that already exists this kind of tool, but the importance here is meet the new conditions. To sum up, the consent must be clear, provided in an intelligible and simple access and language that anyone can understand. The use of long illegible terms and conditions is not more permitted.
Data Subjects Right:
• Breach Notification: Data Controllers must inform data breaches to DPA, within 72 hours maximum. It means that every organisation needs to implement internal steps to follow in case of data breaches.
• Right to Access: is the right of data subjects receive from the data controller where what intent and whether them data concerning is being processed. After this, a reproduction of their data must be provided by the controller in an electronic format.
• Right to be forgotten: individuals can require to their data be erased by the controller with no delay and cease future dissemination of the data.
• Data Portability: Individuals can ask their personal data, structured formatted, and then send to other data controller.
• Privacy by design: Article 23 ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. In order to meet the requirements of this Regulation and protect the rights of data subjects’. In fact, is the insertion of data protection by design and by default.
• Data Protection Officers: What is occurring now is that will be necessary internal record be kept, data controllers need to elect a DPO (Data Protection Officer) in their accountability agenda. Also, the DPO should cover some specifications such as:- (i) professional qualities, an expert on data protection and must be a staff member/external service provider (ii) appropriate resources should be delivered to the DPO and it must report all documents to the main manager of the company – higher level (iii) others responsibilities that can cause the conflict of interest must be terminated.
Many actions should be taken, prepare for data breaches, check your policies and privacy, launch an accountability framework, analyse your legal basis and more. This regulation, in accordance to Andrus Sip – Vice President for the digital single market, EU Commission – this is a major step towards a Digital Single Market now, from a business compliance perspective organisations have compelling reason to tackle issues that have been often difficult to get sign off or board justification for not just a challenge for I.T this encompasses data cleansing, process mapping, acquiring customer consent, governance control frameworks, and best practice. The European Union have a clear and structured regulation and the advice is clear: the implementation should start now, you have less than 365 days until GDPR enforcement.
Data protection by design as default.
Our next blog will look into CRM trends and how they can impact your business.
Is your organisation GDRP prepared?
For more information or any advice for your organisation email:- firstname.lastname@example.org