Introduction
May 25, 2018 is fast approaching and with it the direct application of the European General Data Protection Regulation (GDPR) in all member states.
Companies of all sizes and industries that are based in the EU or even just process the data of EU citizens must comply with it. The EU GDPR describes a completely new data protection law, but it is very similar to previous regulations.
This Regulation shall apply to the processing of personal data wholly or partly by automated means and to the non-automated processing of personal data which are or are intended to be stored in a filing system.
When it comes to data protection, all companies have a lot to look forward to: the General Data Protection Regulation (GDPR) raises the rules for handling personal data to a standardized EU level and introduces fundamental – and in some cases serious – changes.
The regulations are already officially in force and must be implemented by May 2018.
The EU directives catapult data protection into the age of cloud computing and big data and aim to ensure that data protection is regulated uniformly throughout Europe as a fundamental right. Every company that maintains customer relationships in Europe and collects buyer data in the process must comply with the General Data Protection Regulation (GDPR). This also applies to companies that are based outside Europe and manage their data outside European borders.
When does the GDPR come into effect?
The EU GDPR came into force on May 25, 2016. We are currently still in a two-year transition period. The law will also apply from May 25, 2018. Compliance will be monitored by the EU data protection supervisory authorities and courts or, in Germany, the federal states, which are currently establishing the necessary structures.
In Germany, the GDPR replaces the previous Federal Data Protection Act (BDSG) from 1995, which was completely outdated from today’s perspective.
Main requirements of the GDPR
The main requirements of the GDPR are divided into four fields of action.
1. Organization: All companies with ten or more employees require a data protection officer. This can be a suitably qualified employee or an external service provider. Seminars for data protection officers usually last three days and cost around 2,000 euros.
2. Processes: The most important requirement here is that the competent supervisory authority must be informed within 72 hours of a data breach being detected, as well as the data subjects if it is “likely” to result in a “high risk”.
3. The technology should correspond to the state of the art. Although this is very softly worded, the regulation should still be valid in ten years’ time. All future developments are already subsumed here. State of the art also means technology that is available on the market, has proven itself in practice and is also affordable.
4. Law: 3w3433e
Penalties – used to be more of a “minor fine”
A breach of GDPR regulations by a company can lead to fines and criminal prosecution. It is the first EU law to deal with data protection. The penalties for violations are draconian: up to four percent of a company’s annual turnover, or 20 million euros.
The right to be forgotten
As already mentioned, every company that works with personal data of EU residents is obliged to thoroughly review its information management processes. In future, this will also include new principles such as the “right to be forgotten” and reporting obligations. For example, a company may have to delete personal data within a certain period of time if a user requests this. Individuals affected by a data breach must also be informed immediately if their personal data has fallen into the wrong hands and this poses a serious threat to their rights and freedoms.
The problem is that most companies do not know the exact content of more than half of their stored data. The industry also refers to this as “dark data”, i.e. data whose content is unknown to the owner. This lack of transparency makes it difficult for companies to find the right data quickly and easily.
This information was taken in part from the magazine: “Das Storage-Magazin”.
Source