What is GDPR and how does it affect you?
As of 25th May 2018, the European Parliament’s General Data Protection Regulation (GDPR) will apply in all EU countries. The GDPR does not invalidate previous requirements regarding personal data processing, but adds additional rules and obligations. The aim of the GDPR is to ensure better protection of natural persons’ data by giving persons more control over their data. The GDPR applies to very many companies, which have data regarding natural persons (including clients, employees).
What are the main changes?
- The „right to be forgotten“ will be written into legislation and does not stem from the court practice alone anymore
- Data portability – personal data should be accessible for the persons and also it should be portable
- Person’s consent is not for ever – more stricter rules are set forth in case the personal data is processed with persons consent
- Obligation to appoint data protection officer – the need to appoint one will be determined with an audit
- Authorizing others to process the personal data – more stricter rules and the person offering the service is in accordance with data protection rules
- Data protection principles – data protection principles should be followed, so that data security is assured in every process
One of the motivation to follow the rules, are certainly the very high penalties: in the amount of 20 000 000 euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Besides the new and more strict rules, the GDPR will have effect on very many companies. The GDPR will affect every EU’s company, which is processing personal data (even employee’s data is enough and does not have to be EU citizen’s data), every non-EU company which is processing EU citizen’s data (even if the company is not located in the EU) and also every non-EU company if it has office in EU or they process EU citizen’s or resident’s personal data.
As the regulation’s scope is very wide, every company should analyse whether they fall under the scope of GDPR and might there be a possibility to avoid that. Otherwise the grave penalty may be just an inch away. Data protection experts can help with the analysing and give advice how to proceed. Even taking the first step might mediate the risks.
Need more information regarding GDPR and its applicability? Contact NJORD attorneys Katrin Sarap and Liisi Jürgen.