The General Data Protection Regulation (GDPR), is a new set of data privacy laws that require businesses to prioritize the protection and privacy of personal data belonging to European Union (EU) residents.
Failure to comply with this new regulation by the May 25th, 2018 enforcement date could result in hefty fines. It’s important to note that even if your company is based outside the EU, the GDPR may still apply… If your company does any kind of business with other companies or customers residing in the EU, you’re obligated to comply or risk facing the penalties.
Here’s what you need to know…
Key points in the GDPR
1. Scope: The new GDPR applies to any and all companies processing the personal data of EU residents. The location of the company doing the processing is irrelevant. Personal data is defined as anything that can identify an individual, be it directly or indirectly. Pictures, Facebook posts and personal addresses, for example, as well as business material like resumes, documents, files and contracts are included.
2. Consent: When attempting to obtain consent, a business is strictly forbidden to make requests in long, easily misunderstood legalese. Rather, a clear and easily assessable form using plain language must be used. Should your business need to use a customer’s data in a specific way, consent must be asked for and given in clear, explicit terms.
3. The Right To Be Forgotten: Also known as the Right To Erasure, the Right To Be Forgotten is another key point in the new GDPR and enables a person to have their personal data expunged by a data controller due to irrelevance or a withdrawal of consent. As a business owner, your company needs to be ready and willing to fulfill such requests.
4. Breach Notification: In the event of a data breach, notifications to the effected individuals are mandatory within 72 hours of first becoming aware. The one stipulation to this is that the data breached must be likely to “result in a risk for the rights and freedoms of individuals” as detailed in Article 33 of the GDPR regulation. Meaning notification is only required if the data breached hasn’t been anonymized.
5. Privacy By Design: Though the concept of privacy by design is nothing new, the legal requirement of it is. The GDPR mandates that all systems and applications be built from the ground up with data protection in mind, rather than simply “adding it in” at a later date. Article 23 of the GDPR takes this concept even further by stating that data controllers must hold and process only the vital information needed to carry out their duties and access to such data should be limited to necessary personnel only.
6. The Right To Information: As a business complying with the new GDPR, you are required to inform your clients and customers how and why their data is being processed. Ideally, this will be handled at the beginning of your relationship with each individual (when asking for consent), but your customers have the right to stay informed beyond this point as well. Be ready to supply the desired information in an understandable and concise way and always free of charge.
7. Data Portability: Every data subject (customer or client) has the right to receive their personal data from a data controller and transfer it to another provider should they so choose. According to the GDPR, your business must be capable of and willing to accomodate such a request.
What this means for Sync customers
If you’re a Sync customer, know that our team is fully committed to protecting your data privacy in the cloud, and we’re committed to meeting the provisions outlined in the new GDPR.
Currently, Canada’s data privacy laws are compatible with the EU data privacy framework, as determined by the European Commission, and data can flow freely between Canada and the EU without issue. This means that, as a businesses operating in the EU or UK, you can safely use Sync today.
Additionally, due to Sync’s commitment to your privacy, our platform already conforms with many GDPR provisions such as privacy by design, the right to information, data portability, and the right to be forgotten. And we will continue to build on our commitment to ensure full GDPR compliance in advance of the May, 25th 2018 enforcement date.
The GDPR may seem complicated and overwhelming, but by partnering with Sync, you’re ensuring for your business the easiest route to full compliance. Feel free to contact our knowledgable team for any remaining questions or concerns.
We’re happy to help!