READ THIS IF YOU DO BUSINESS WITH ANYONE IN EUROPE.
One of the most significant changes to European Union (EU) privacy law in 20 years goes into effect this May. The new General Data Protection Regulation (GDPR) provides EU citizens with greater control over their personal data and how that data is used and protected, both in Europe and abroad (this is where it affects you, if you have data of someone living in the EU in your computer system). In this case, “personal data” can refer to anything from name, email, address, date of birth, personal interests, photos, digital footprints, social posts, and more. GDPR replaces the 1995 Data Protection Directive formed long before web technology matured, and before clouds were anything other than meteorological phenomena.
With all the new technological advances, it was time to update legislation from the Data Protection Directive, giving birth to the GDPR. This new legislation imposes new and stronger rules on companies, non-profits, governments, and any other organization that provides goods and services to individuals in the EU. If you sell (or buy) internationally, this means your business too.
GDPR has a widespread effect, impacting both domestic and international organizations, big and small. Any group that uses a database to store prospect or customer information simply cannot afford to ignore the new GDPR regulations. This means that if your organization sells to anyone in Europe and stores customer information — and nearly 90 percent of surveyed businesses do store that information in digital databases — you must be GDPR compliant or face significant consequences.
3 Big GDPR Considerations
GDPR is a large, complex regulation, but it can be broken down into three main areas that businesses need to understand:
- The Regulation Itself: The GDPR is intended to protect the privacy of EU citizens. The new regulations provide assurance for individuals that their data is not collected and/or used without their express consent. This means that any time an individual submits personal information, the company collecting it has to ensure that consent is given. Consent must be obtained freely—no auto-checked boxes that opt someone in—using plain and clear language. This impacts everything from “contact us” forms on your website to future email marketing campaigns.
- The Systems You Use: Not only will you need to audit your systems to ensure that information stored within is secured and consent has been given, you’ll also need to ensure that within your company, system users only have the permissions and access privileges they need for their specific role. Certain individual records and data fields, such as tax information or bank account numbers, may need to be restricted from your standard user access.
- The Legal Aspects and How They Affect You: Non-compliance is not cheap. Your organization could be fined up to 4 percent of annual global turnover or €20 Million if you are not GDPR compliant. Other fines may also be imposed, such as a 2 percent fine for not having records in order, not notifying when a breach occurs, or not conducting impact assessment.
Updating Systems for GDPR Compliance
Fortunately, Microsoft has been working on the issue of quite some time because, privacy is important to all of us, both personally and professionally. Here are four tools to help you with GDPR.
- Microsoft has published this paper regarding NAV & GDPR
- How to become and remain compliant – Microsoft general paper covering in house, cloud and hybrid computer systems.
- Free – Compliance Manager Use this free Microsoft tool to help your GDPR Compliance journey.