On 25 May 2018, long-awaited EU legislation will enter into force, specifying new rules for organizations on the handling of the personal data of its clients, potential customers, suppliers, and employees. The objective of this regulation is to protect the digital rights of the people of the European Union. The Directive applies to personal data across all segments and industries.
What are personal data?
Personal data include: names, addresses, geographical locations, electronic identifiers (digital identity cards), health data, income, cultural profiles, and more. With increasing levels of digitization, it is much easier to collect data about individual users, often we do not even think of what we can disclose by carelessly sharing information about our person. We fill in e-shop boxes, we use various loyalty cards, respond to various surveys, and we fill social networks with details of our private lives. Our information has so far been fragmented with the sub-administrators of these databases, but the threat that all the details of a particular person can be combined into a single picture is scary and more and more topical. Legislators have sought to mitigate this risk by establishing limits for the collection and storage of personal data, i.e. under the General Data Protection Regulation (GDPR).
Who does GDPR apply to?
GDPR does not only apply to institutions, but also to individuals or online services that work with user data - such as those who track or analyze people’s behavior on the web while using applications or smart technologies. Another group is sales databases, which help marketers directly target recipients of advertisements based on age, gender, interests, profession, and other criteria. Databases of contacts have always been a valuable asset for their owner, but they will need to be renewed under the GDPR for their further use by willfully ticking consent to send business messages. If the database owner does not obtain this consent, then they must delete the contacts. Many businesses may lose the subject of their business.
What is a “Data Protection Officer”?
As part of their successful management of the GDPR, companies that act as data controllers (or employ more than 250 people) should establish the position of an independent data protection officer (DPO) who will be responsible for the company having everything set up correctly and continuously complying with the GDPR. The DPO will also provide communication with the regulatory authorities, in particular the Office for Personal Data Protection. The establishment of a DPO also applies to smaller companies processing personal data: 1) as a public authority; 2) when its main activity involves regular and systematic monitoring of entities – e.g. monitoring of online user behavior; 3) in the area of sensitive categories (health data, biometric data, criminal record, etc.) This expert should know the IT environment, because the GDPR is associated with the introduction of digitization of documents, which are then processed, stored and shredded electronically. If a company is not required to have a DPO, it should still designate a person or department that will be in charge of the new regulation on personal data management.
What is the “principle of accountability”?
Obligations of the GDPR include the so-called principle of accountability, which means ongoing documentation of compliance with the GDPR and the ability to demonstrate compliance with the regulation. This measure applies to companies with over 250 employees (or smaller in the case of sensitive data processors, state organizations, and companies monitoring online behavior).
Financial impacts of the GDPR
It should be remembered that the GDPR agenda will considerably burden the company’s budget. It will be necessary to invest in the necessary software and pay the human factor for its implementation or accompanying consultation. Higher personnel costs will also occur - in the case of the DPO. All of these costs may be liquidating for smaller businesses. GDPR costs are likely to be broken down by companies into their products or services, resulting in higher costs and less competitive European companies relative to eastern (e.g. Asian) countries to which the European regulation does not apply. However, it will affect companies and institutions outside the EU that operate on the European market.
Can you be fined?
Fulfilment of the GDPR requirements is a long-term process, those who have not yet begun with the GDPR will definitely not meet the deadline, it is important to at least plan and initiate the relevant business processes. If, after 25 May 2018, the regulatory authorities determine that a company is implementing the GDPR through a systematically responsible process, then it will not be affected by such sanctions as if the measures had not yet begun. How much is the fine? If a company is unable to demonstrate its compliance with the GDPR, it may incur a penalty of up to 20 million EUR or 4% of the group’s worldwide turnover for the previous financial year, whichever is higher. According to a survey conducted by Gartner, about 50 % of companies will not be fully in line with the GDPR by the end of 2018.
Where can you find help with the GDPR?
Due to the GDPR’s demands on information systems, IT suppliers and integrators are key partners for companies, since the appropriate measures cannot be managed in any other way than via electronics/software. IXTENT is ready to assist you in this issue, we can transform your business to digital, and set up the necessary electronic processes to meet the GDPR guidelines.
What is the prerequisite for successfully managing the GDPR?
“It is important to implement retention policy measures, due to regular and controlled shredding. Data should not be kept longer than it is necessary for them to fulfil their purpose”, says Roman Knapp, Commercial Director of IXTENT s.r.o. Therefore, it is necessary: 1) to define a policy regarding the setting of retention periods on all personal data media handled by the organization; 2) to set up and use administrative and IT procedures in accordance with this policy; and 3) to ensure that information on former customers, employees or business partners is routinely and routinely removed from systems.
Did you know that personal information is also on invoices or delivery notes?
Personal information is stored in various formats: business and work communications contain unstructured information in documents, while on the contrary business processes create structured data. Personal data includes, for example: HR records, logistics documents, contracts and orders, marketing materials, tendering data, supply chain data. These data must be erased after the reason for their storage has elapsed.
What software should you choose for the GDPR?
Records Management, part of the OpenText platform, a non-structured information lifecycle management tool (allowing archiving plans, setting up retention policy, data freezing, searching for all archived information) is suitable for this purpose. This platform is the ideal workplace for company Records Managers/Data Protection Officers in charge of GDPR, allowing them to set individual rules and complete policies, manage retention periods, search and “freeze” data or reporting.
An extension of this software is Ixtent Smart Document Flow, which, in conjunction with the GDPR, provides useful superstructure features such as determining automatic document deletion rules, logical and physical deletion of documents, and simple setting of rights for individual groups of documents or users, etc.
The EU aims to promote digitization through its new regulations. In terms of the GDPR, it is also necessary to remember the personal data contained in documents, and not just in databases. Ixtent is technologically ready for the requirements of GDPR in the field of document management, with its OpenText Records Management tool, which is an essential part of the platform for document management. The prerequisite for successful implementation of the GDPR is the transition to the electronic version of the documents. IXTENT’s solution is able to secure various sources of unstructured data and information. Comprehensive coverage of the GDPR requirements is ensured in cooperation with the system integrator (Ixtent Smart Document Flow extension). For the initial and subsequent legal consultations, we provide a legal expert on the GDPR.
Ask us today about a reliable solution that will guarantee your successful management of the GDPR!