The GDPR becomes effective on May 25th 2018. Not all companies are prepared for the new regulation or even fully aware of what this means for their business and their personal data policies. In this blogpost we highlight the important changes that you should have in mind.
What is GDPR?
The General Data Protection Regulation is a new legislation on how businesses, companies, government agencies and non-profits treat their clients' personal data. The new regulation is the first in over two decades within this area, and the aim is to renew the outdated laws and regulations on personal data protection. The new regulations are better adapted to modern technology and the ever-expanding amount of personal data that is stored in cloud solutions all over the world.
The new rules apply to all companies that collect data from EU or EEA (EØS) citizens, regardless of where the company is located. Hence, a company operating in the US will have to meet with the GDPR regulations if they manage data from one or more of the 31 EU or EEA (EØS) countries. The EU's goal is to improve personal data safety, by improving the protection of their citizens and to provide its citizens with more rights than they have today.
The GDPR therefore includes important changes such as the individual's right to be forgotten (erasure) and the right to limit how one's personal data is used, stored and processed which will mean great changes in how businesses currently treat personal data.
What will the GDPR mean to you and your business?
The new rules of the GDPR will mean significant changes for your organization, unless you have already adapted your business' IT strategy to meet the requirements of the new regulations. In general, the new regulation requires you to collect, store and use personal data in new ways.
The changes from the new rules for handling personal data can be summarised as follows:
- All businesses must have a comprehensible statement on personal data protection, which is easy to read and understand to everyone who works within the company as well as the data subjects. All businesses must evaluate risks and consequences to the security of personal data, meaning that the business is always updated on its personal data security.
- All businesses must have the security of personal data in mind whenever changes in the business occur, in order for the personal data to stay safe through organizational changes - and more important - in the event of the transfer of personal data to company sites outside the EEA (EØS) zone.
- All public and many private businesses must have a personal Data Protection Officer (DPO), who can be an employee or a professional third-party consultant.
- All data processors get new responsibilities, such as new routines for how they can collect and use personal data.
- There will be stricter requirements for all businesses in handling security breaches. Basically, businesses need to report quicker and more often than the current procedures, and no later than 72 hours after discovery.
- All businesses must comply with the new rights of the citizens, who now have the right to be forgotten and to move their personal data from one business to another. Citizens also have the right to reject being profiled.
- Furthermore, all companies must answer inquiries made by citizens about personal data safety within a month.
How can we help you?
As a Microsoft Gold partner, we at Ironstone are thrilled to see the proactive steps Microsoft has taken towards GDPR compliance. Microsoft was the first cloud service provider to implement the stringent requirements of the ISO 27018.
The team at Ironstone are highly competent and have knowledge on the new requirements of GDPR, and what the new legislation means to businesses with personal data stored in cloud solutions. At Ironstone, we are committed to delivering technology and cloud products, which are made to be compliant with GDPR.