Last 25th of May (obviously of 2018) Europe collapse! Ok it’s not as dramatic as it sounds, but almost! It reminds me to the “The war of the Worlds”, Europe got paralyze with terrorific idea of the new changes of the law for the protection of the general data regulation strictly from Bushels. And all this commotion because most of business were not ready for it.
Ohh well it did arrive, the GDPR is now here! It was announced in 2016, but as usual, companies didn’t pay too much attention or gave it the importance that deserves.
Around a month before the fantasy become a reality, all companies small and big, started to freak out (specially de e-commerce sector), and made a huge emailing campaign, letting all the clients, potential clients, and consumers know that not only this companies had everything under control. But also that they had to give them consent to this companies to keep sending them amazing deals and news about what’s happening with their brands.
But what is the GDPR is all about? It’s basically, the latest review of the old Data Protection law. GDPR it stands for a comprehensive regulation that unifies data protection laws across all European Union member states. It defines an extended set of rights for European Union citizens and residents regarding their personal data. But do we really know what the GDPR is? The answer is absolutely NO! People have no idea, and most companies are not even prepared. We found on Social media or the cloud tons of articles (more easy or heavy) about this subject, but as usual, companies do not prepared until is absolutely necessary, witch make it more difficult to the small companies (Pyemes or Startups) to adapt to all the key requirements and changes on time than the big companies or moguls do in record time according to the capacity and investment that they are able to do. The lack of awareness of the Startups & Pymes is overwhelming, and the problem is that this companies haven’t dedicated the time to adjust, and verify that their businesses are save.
As Kubide is a Pyme, we do understand the challenges we suffer, and to make it more easy to the “poor mortals”, we are going to describe the minimum requirements that any business should take into consideration to be ready for the GDPR. Like Tina used to said in “Proud Mary”, we are going to to start “nice and easy”, the GDPR requires to implement reasonable data protection measures to protect consumers personal data and privacy against data loss or exposure. The most important principles and requirements regarding the management of personal data:
Lawfulness, fairness, and transparency: personal data should be processed in a lawful, fair and transparent manner. Limited purpose: personal data should be collected for specified, explicit and legitimate purposes and not further processed in a way not compatible with those purposes. Data minimization: the collection of personal data should be limited and data collected must be relevant to accomplish a specific purpose. Accuracy: personal data stored and managed should be accurate and, where necessary, kept up to date. Storage limitation: personal data shouldn’t be kept for longer than is necessary for the purposes for which such personal data is processed. Confidentiality and integrity: personal data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.
But still, how do I prepare to all this? Beside the fact that you should already got all this under control, companies should guarantee also a “Data Protection Officer” (DPO) internal or external. Controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements.
In some cases, they should have “Right to Access” which means that part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects. Another very important subject is the “Breach Notification” which will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
But now talking seriously, who has to apply all this requirements? Well, EVERYONE! No one and I mean no one can escape this! And even more important not wake up the “european sauron”, basically because, in terms of Penalties they got pretty strict as well. Depending on the gravity of breach of GDPR can be fined up to 4% of annual global turnover or €20 Million. This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors, meaning ‘clouds’ will not be exempt from GDPR enforcement.