What is GDPR?

“All people have three lives: the public, private and secret.” – Gabriel García Márquez

The EU’s new General Data Protection Regulation will enter into force on 25 May 2018 and will have major consequences for Danish companies. There will be new, sharpened requirements for your personal data processing and fines will be higher than ever in case you do not comply with the regulation.

The purpose of the General Data Protection Regulation is to create a common basis for processing data in the EU and to increase protection of a person’s registered personal data. This Regulation is a comprehensive approach and the EU has therefore significantly increased the level of fines. In case you do not meet the obligations of the data controller or the data processor, the fine will be 2% of the revenue or 10,000,000 EUR. However, you can reach 4% of revenue or up to EUR 20,000,000 if you violate the basic principles of the regulation, such as breach of the data subject’s rights or if you do not add orders from the regulatory authorities.

 

These fines are an effective motivation to comply with the regulation and they could have major consequences for European companies. The size of the fines has also resulted in increased interest in personal data, which has created another disadvantage in case of non-compliance with the regulation.

The company’s brand and reputation have become more exposed due to the increased attention, especially for companies with private customers. Private customers often generate a lot of data and are more likely to focus on the company’s brand. If your company does not meet the requirements of the regulation, you may risk losing confidence in your business and its security.

This concern has become even more relevant in the light of the many hacker attacks that, with increasing frequency, compromise companies and thus the personal data they hold.

The GDPR is a merger of earlier European data laws that have now been updated and combined into a single European law. The purpose of this legislation is to ensure the data of the data subjects, as well as making it easier for businesses and authorities to work across borders. It took several years for the EU to come up with this particular legislation, and although there is a certain amount of national freedom, the processing of data in the EU will be far more unified in the future.

For some companies, it is not entirely clear whether they will be affected by the regulation, and we would therefore like to make it clear that all European companies are covered by this Regulation. The regulation covers all companies that are located in the EU, supply goods or services to EU customers as well as companies that register behavior on EU people.

There will be a difference in consequences for the individual companies, brought by the new regulation.  However, there is no doubt that all companies need to consider the regulation and assess what changes will be needed to meet the new requirements.

The regulation has also given reason to specify what is meant by personal data and some new elements have been added, which have not been included before.

Personal data means not only information such as CPR number, name, address and position, but also more sensitive data such as race, religion, sexual orientation, political affiliation and health information. Moreover, the regulation does not cover only customers, but covers both customers, employees, partners, suppliers and the like. Thus, all the data the company contains can be used to identify the referred person.

Below you can get an overview of the data that the regulation deals with.

Many of the above personal data were also included in the previous Personal Data Act, so it is mainly an addition of more sensitive information and more data areas. The GDPR is in many ways based on the existing personal data act. However, the new regulation sets some very specific new requirements for the processing of personal data that you have to deal with.

 

Requirements for consent

One of the main areas of the new regulation is an increased requirement for consent. More explicit consent must be given to the processing of data, which includes the specifications of what this data may be used for and by whom. In connection with this intensified focus on consent, it should also be easier to withdraw its consent. The regulation therefore also includes an action that the registered person has the right to be forgotten/deleted. This means that the registered person must, at any time, be able to withdraw his consent and ask the company to delete all data and all history the company holds about the data subject.

 

Data Responsible and Data Protection Officer (DOP)

As it will be a far more important task to keep track of personal data, there has been a requirement that the company should have a data controller or a DPO. It is the data controller’s task to document the handling of all data in the company and to be a supervisor of the company’s ongoing work with the GDPR.

The regulation covers many different areas of the company and it can be difficult to assess which existing department is responsible for compliance with the regulation. Here the designation of a DPO can make it easier for the company to find a responsible person who can act across the existing departments.

 

Notification to the authorities

The regulation is largely about ensuring the data of the data subjects in case the company is compromised. However, you can not always be sure of malicious attacks. The Regulation therefore requires a company to notify the supervisory authorities within 72 hours after the company’s data has been compromised. In addition, the registered persons concerned must also note that their data is no longer secured.

 

Privacy by Design

Many of the requirements of the regulation are based on increased documentation and the preparation of new processes. However, there is also a requirement that the increased data security be incorporated as part of the company’s structure and systems. It will therefore be necessary to implement various IT security solutions that can support the new structure and the new processes.

 

Documentation

A large part of the regulation is to be able to document almost everything. The company must be able to prove that they know the requirements of the regulation and meet all the requirements. Here again, the data controller or DPO ensures that the documentation is in place and can be submitted to the supervisory authorities if necessary.

 

Why is the regulation important to you?

The fines mentioned above are of course a very good reason to meet the requirements of the regulation. The fines may be far higher than we have previously experienced, and it is not only a one-off pleasure, if the company does not comply with the regulation’s requirements after the first fine.

As mentioned, the fines are not the only consequence of the regulation. The regulation may end up having both positive and negative consequences for the company’s brand and customer relations. If the company fails to meet the requirements of the regulation, customers will quickly lose confidence in the company, especially in case if data is compromised. It is important to remember that in the future it is unlawful not to comply with the regulation, and the few customers choose an illegal business rather than their law-abiding competitors.

 

However, if your business fully meets the requirements of the Regulation, it could be used as a clear competitive advantage that you can offer optimal security and security to your customers. Particularly private customers are not particularly forgiving of breach of trust, such as compromising their personal data.

 

Are you ready?

There are still many companies that have not started their work with the GDPR yet and, for the most part, they are either not aware of the GDPR, do not believe it concerns them or expect it to be done in a short period of time.

The General Data Protection Regulation is, however, incredibly important to relate to and it is just as important to get started right away. It is a longer process if you have to live up to the regulation and it is incredibly important to find out where you are currently standing.

There are 5 basic phases that you are going through to comply with the regulation. How long each phase will take depends, of course, on the size of the company, and how structured your data and data processing is at the present.

The different phases can be seen in the model below.

In case if you have not started working with the GDPR at all, it is most important to know where you are currently standing, so that you can subsequently make a plan for what your next step is going to be. Therefore, you can break down the process into some smaller, more manageable projects that can be handled and possibly delegated to different people in the organization.

It can be challenging to find out how far you are in the process and what the next step in the process is. Therefore, at GlobalSequr A/S, we have developed a complete framework that ensures that you get across the business and get included all the important issues.

Regardless of where you are in the process, we will always be able to introduce you to some possible solutions for your specific issues and to provide helpful advice for your prospective project and you are welcome to contact us for further discussion.