With new privacy guidelines, it’s like the holiday season, which is certainly a bit for everyone to get caught up in: It keeps being brought up, that people want to escape the stress of shopping by buying presents earlier and earlier. And the result? Right: You’re running with shoes on through a mall that’s way too full, because it’s the day before Christmas Eve, hands full with wrapped gifts and thinking: Next year I’m buying my gifts way earlier!!!
In the General Data Protection Regulation’s view, which has been around since the 24th of May 2016, many companies appear to have fallen into the same vicious circle. For over 18 months, you could have at least just thought about implementing the standards of the GDPR. But even in this case, everything’s rushed and overwhelming, just like shopping in the mall on the day before Christmas Eve: Despite the stress and a “last minute” preparation you spend the holidays in peace and quiet.
Before demonising the EU and its regulatory illusions, you should be aware that current data protection issues in the EU are either governed by national laws or enshrined in the already 23-year-old Directive 95/46 / EC (Data Protection Directive) – so, it’s time for something new, right? The General Data Protection Regulation (GDPR) should take its place as the new standard. But what are the GDPR’s goals and themes?
- This Regulation lays down rules for the protection of individuals with regard to the processing of personal data and free movement of such data.
- This Regulation protects the fundamental rights and freedoms of natural persons, and in particular, their right to the protection of personal data.
- The free movement of personal data in the Union must not be restricted or prohibited for the protection of individuals with regard to the processing of personal data.
In short: Individuals now have more access to data handled by companies. By the way, in contrast to Directive 95/46 / EC, the territorial scope is based on the marketplace principle: Where personal data is collected within the EU based on offers of services/products, the GDPR applies. So the new policy is (especially) aimed at big American companies like Facebook, Google, and Amazon.
So much information for the simple “What is the GDPR?”. If you would like to read more about the GDPR, you can read the complete legal text here.
…And what does that look like?
Most likely, there are systems in your own company that store customer data. These are, for example, CRM and marketing automation systems. The practical implementation of the GDPR, of course, differs from system to system. Salesforce, for example, has been working on the implementation of the GDPR in all cloud products for several months and has already started to train all its partners.
But whether Salesforce, Microsoft, SAP, CAS, or whatever system: The GDPR sets out some basic principles to prepare your system for the 25th of May:
- “Ask for my consent!”: Personal data should be processed. To do this, consent of the customer is required, which incidentally has to be proven and stored by the system.
- “Stop processing my data!”: Customers can now demand that companies stop the processing of their personal data. This does not mean deletion.
- “Delete my data!”: “The Right to be Forgotten” means that personal data must be deleted immediately.
- “Give me my data!”: For example, if your own personal information is stored with a company, you have the right to “portability”. You can therefore demand, that your own data be transferred “in a structured, common, and machine-readable format”.
- “Correct my data!”: Affected individuals can inform about the correction of personal data … and these changes must then be implemented. This may sound simple but in reality, very few companies will already have a process for this.
There are also other requirements such as pseudonymisation and encryption of personal data. The problem isn’t that modern systems couldn’t meet these requirements. No. The GDPR requires a lot more of these new processes in the company as well as a partially extended circle of people who take care of the data protection.
What everyone has to go through…
What comforted me when I ran desperately through a department store on Christmas Eve Eve? I wasn’t alone! The same goes for the GDPR. Every business is going through this. Otherwise, you can expect a lot of penalties. The catalogue of sanctions for the GDPR can be found in Article 83. Depending on what you violate, penalties of up to 20 million euros or 4 percent of the total annual sales achieved worldwide are threatened – the penalties can be quite life-threatening.
But don’t fear: It’s not the EU’s goal to bankrupt every company. While there is widespread concern, it’s expected that EU companies will still have a longer reprimand and penalties, if imposed, will not immediately be sanctioned with the maximum of the demands contained in Article 83.
Don’t get it twisted: You’re no longer able to say “Oh, I’ve still got time, I can wait.” Today, to complete the analogy, is not yet the 23rd, but the 22nd of December. It’s really to deal with the GDPR. Incidentally, dotSource can help: We like to look at processes and systems, and help with the implementation of the GDPR, for example, by means of Salesforce, SAP, or Microsoft. Our quality privacy fanatics can be reached here.