What Is GDPR?
On May 25, 2018, the European Union’s new data privacy regulations will go into effect. The new policy, known as General Data Protection Regulation (GDPR), has been in the works for over four years. The legislation is designed to “harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”.
The European Council and other governing bodies are implementing GDPR to replace the existing Data Protection Directive 95/46/EC, which was formed in 1995, to keep with the current data-driven world. GDPR is designed to give individuals increased control over their personal information by increasing the transparency of where their information is going.
What Are The Major Changes GDPR Will Bring About?
Some of the key changes GDPR imposes include:
1. Increased Territorial Scope
• Any company processing personal data of subjects that reside in the EU must follow GDPR regardless of company location.
• Consent for data processing must be clear, distinguishable, and must be equally easy to give and withdraw.
3. Breach Notification
• In the case of any data breach, companies must notify all persons affected within 72 hours of becoming aware of the breach.
4. Right to Access
• Data Subjects must be given an electronic copy of the personal data free of charge.
5. Right to Be Forgotten
• Data Subjects now have the ability to requesting erasure of their personal data if certain criteria are met.
6. Data Portability
• Data Subjects have the right to receive personal data that concerns them.
7. Privacy by Design
• This concept has been around for years but now is becoming a legal requirement. It specifies that the data protection requirements must be considered from the onset of the designing of InfoGovernance and archiving systems.
8. Data Protection Officers
• Controllers will have different requirements regarding Data Protection Officer meetings and regulations for communication regarding data processing activities. Any company over 250 employees will be required to have a DPO.
Who Will Be Affected?
The GDPR applies to all EU organizations but also to organizations outside the EU that offer goods or services to EU Data Subjects. Additionally, GDPR applies to “all companies processing and holding the personal data of Data Subjects residing in the EU, regardless of the company’s location”.
As of now, companies in the UK must follow GDPR until the United Kingdom officially leaves the EU.
No company is exempt from GDPR. Even companies using cloud storage must comply. If your company uses cloud storage you must be able to identify where information lies when asked, and must be able to eliminate it if necessary.
Watch Out For Steep, Profit-Based Fines
Any company that fails to follow the new regulations will face heavy fines or even dissolution. Fines are approached in a tiered way. The infographic below, courtesy of Software AC, explains the fines and how your company could be affected for violations.
Less serious compliance failures, such as an administrative failure in record keeping, face a fine of either 2% of annual global turnover or 10 million euros. Companies that have more serious offenses, including a breach of basic data protection principles, can be fined up to “4% of annual global turnover” or “20 million euros”, whichever is greater.
The more a company makes in revenue and profit, the more it’s potential fine amount:
How Globanet Can Help With GDPR Compliance
Companies subject to GDPR are advised to start preparing for GDPR now in order to avoid the risk of heavy financial fines. One way to ensure compliance is through Globanet Merge1. A communications and content archiving tool, Merge1 is instrumental in the archiving and retaining customer data in order to comply with GDPR.
Merge1 is the simplest and most affordable way to achieve data compliance because it leverages your existing infrastructure. Merge1 extends the ability of your email archive to capture non-email communications, such as:
Social media (e.g. Facebook, Twitter, etc.)
Enterprise collaboration (e.g. Slack, Jabber)
Enterprise IM (e.g. Skype for Business)
Financial platforms (e.g. Bloomberg, Symphony)
Cloud-based files (e.g. OneDrive, Box)
Once these content types are ingesting into your current email archive – whether on-prem or in the Cloud – the data can be retained, searched during eDiscovery and reproduced for regulator inquiries and internal Information Governance.
To learn more about GDPR compliance with Merge1, or to request a demo, please contact us today.