Blog

EU General Data Protection Regulation and How It Will Affect Your Company

Close interaction with the cyber world has brought tremendous benefits to the humanity, but at the same time it made us more vulnerable and paranoid about our privacy. With so much information gathered, analyzed and used, people are becoming more concerned about personal data protection. That is why the European Commission set out to review the current Data Protection Act (DPA) and replace it with a new set of legislation that comes into effect on 25 May 2018.

Please welcome the EU General Data Protection Regulation – the most substantial change in data privacy regulation in the last 20 years​. The GDPR puts any personal information related to the private, professional or public life of an EU resident under strict protection. This includes names, photos, email addresses, bank details, social media and other website publications, medical records, even their computer’s IP address.

According to the European Commission, the General Data Protection Regulation will secure the rights of the European Union (EU) residents and at the same time simplify data protection worldwide. EU GDPR will change how businesses and public sector organisations should handle personal information of the EU residents. Skelia dug into the details of this innovation and we’re here to share this GDPR summary with you.

Individual Rights

The GDPR will guarantee individual rights and control over people’s personal data. It provides the right to be informed about the intention once the data is obtained, the right to demand access, the right to rectify inaccurate data and the right to restrict or object processing of personal data. On top of that, the GDPR provides “the right to be forgotten,” which, unlike the right for privacy, involves removing only the publicly known information at a certain time and not allowing third parties to access the information. Companies are explicitly required to ensure these rights to their users and provide them with access to their own personal data at any time as well as information about what data companies hold and where it is located – on PCs, servers or in the Cloud.

Data Processor and Data Controller

During the implementation period, all companies have to take actions in preparing to comply with the new requirements about consent, data mapping and cross-border data transfer. The GDPR clarifies the difference between the roles of data processors and data controllers. Simply put, a data controller is the entity that determines the purposes, conditions and means of the processing of personal data, whereas the data processor is an entity which processes personal data on behalf of the controller. No matter if a company is a data controller or a data processor, it is obliged to respect individual rights while processing personal data entrusted to the company.

Data Protection Officers

The GDPR will simplify the relations between data controllers and data protection officers. Currently, all data controllers have to report any data processing activities to local DPOs. But because most of EU Member States have different requirements for these reports, the whole process involves a lot of excruciating red tape. Luckily, the GDPR will not require submitting registrations to local DPOs anymore; the majority of controllers will just have to comply with internal record keeping requirements instead. However, appointing DPOs is a must for controllers and processors that deal with operations which require regular monitoring of data subjects on a large scale. This also concerns special categories of information and data relating to criminal convictions and offences.

Penalties for Non-Compliance

If a company cannot ensure proper data protection, it will be fined. Any violations regarding record-keeping, security, breach notification and privacy impact assessment will result in penalties. The fine can be as high as €10 million or 2% of the company’s total worldwide annual turnover of the preceding fi­nancial year. In case of data breach, a supervisory authority should be informed within 72 hours and given the full details and proposals for mitigating its effects. Otherwise, the data controller must provide a reasoned justification for the delay. However, a company is not required to notify the supervisory authority if the personal data breach is unlikely to threaten the rights and freedoms of individuals.

Privacy by Design and by Default

The principles of data protection by design and by default are the cornerstone of the GDPR. Many products and services involve gathering and using personal data. Privacy by design means that data privacy has to be taken into account throughout the whole process of developing these products and services. Privacy by default means that privacy principles automatically apply when consumers acquire them. Businesses and data controllers should take appropriate technical and procedural measures to ensure that such products and services are designed according to the latest data protection requirements. This may include proper encryption or pseudonymisation of personal data, limiting data processing to the purpose which the data was collected for, restricting access to personal data within an organization, etc.

Skelia is Ready to Roll

When it comes to security, Skelia takes measures immediately. Customers can rest assured that Skelia has invested additional time and effort to achieve full compliance with the new GDPR rules. We have updated the procedures around subject access requests, improved data protection for individuals and used the “privacy by design” principle is our security strategies. Skelia has all the tools required to protect our customers’ private data from misuse and from falling into unauthorised hands. We hope that this GDPR overview will help you make the right amendments to your corporate security policy.