What has changed?
Finally! As of December 2015 the European Union has settled on the new General Data Protection Regulation (GDPR). Since May 2018, the GDPR unifies data privacy laws across Europe.
Timetable – Data Protection
- March 2016 – official German version of GDPR
- April 2016 – consultation process within EU-Council of Ministers, followed by voting in European Parliament
- May 25th 2018 – new General Data Protection Regulation Goals and Principles goes into effect
The main goals of the new GDPR are the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
The new law intends to be data protection-friendlier for individuals and users. Control of personal data will be returned to the citizen. A set of principles laid out in Article 5 of the GDPR ensures that data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (data accuracy);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
The controller shall be responsible, and be able to demonstrate compliance (‘accountability’)
Heads up! In terms of responsibility and accountability, company managers have to prove their compliance to escape liability.
Financial penalties
One of the significant but very unpleasant changes is that under GDPR, firms can be fined up to €20 million ($28m) or four percent of group worldwide turnover, whichever is greater. Companies are therefore beginning to fear insolvency or even closure as a result of the GDPR penalties that will soon be very real for all businesses.
Personal data
GDPR applies only in situations involving personal data. Personal data is understood as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, IP-adress or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who does it concern?
All companies who are based on EU-ground as resident enterprises.
Non-European countries must also comply with the regulations if:
A company has a branch based within the EU, or
They process personal data of EU-citizens.
If you have any questions regarding one of the avobe-mentioned subjects, data protection in general, and/or a GDPR-relevant subject,
Port Zero is happy to offer consulting-services in this area, based on extensive experience and competence in the fields of Data protection, Data-Protection-Compliance, IT-Security. Our consulting-process is designed to quickly and thoroughly identify problems and risks and to find sustainable solutions in compliance with GDPR-requirements on data privacy. We will also gladly assist in implementing a Dataprotectionmanagementsystem (DPMS) and an Informationsecuritymanagementsystem (ISMS).
A further area of expertise is Informationtechnology and IT-solutions. Modern data privacy and IT-based subjects are inseparable. To ensure the best preparation for an audit und adjust applicable IT-systems, for example, a great deal of IT-expertise is required. Having accrued considerable experience over the years in the IT business, we’ve gained substantial Know-How which will certainly benefit all of our data security customers.