GDPR is a very hot topic right now, but what does the shortcut GDPR stand for, what does GDPR contain and is your company affected by it? Why do companies have to fear fines of up to 20 million Euro if they don`t comply with GDPR guidelines?
It`s not easy to retain an overview of this «jungle», given almost daily updates and articles.
The European Data Protection Regulation (EU-DSGVO), also called General Data Protection Regulation (GDPR) internationally, came into force in all EU member states on 25th May 2018.
Legally binding for companies domiciled in the EU, the regulation also concerns companies from third party countries – such as Switzerland. Simply put, the law dictates new and stricter rules on personal data to companies, government agencies as well as non-profit and other organisations – irrespectively of where they are domiciled worldwide, if:
1) They offer goods or services to customers in the EU or if
2) They track, gather or analyse the behaviour of EU-citizens
According to the new GPDR specifications personal data is classified as information referring to a specific or definable person; for instance a name, a photo, an email address, bank details, location details, medical information or a computer IP-address.
Imagine a Swiss company, a book store for example, who in addition to their city store also runs an online shop. Through this online shop customers from another European country order books. Therefore, the bookseller is required to oblige by GDPR Regulations and implement them accordingly.
The new Data Protection Regulation is complex. It comprises of 99 articles and 173 considerations. Put in highly simplified terms, the guideline defines the rights an individual has with regards to their personal data.
The right to disclosure
Affected individuals may demand disclosure at any time within a short time frame as to whether data has been captured about them and what data for which purpose exactly. On request the company has to provide a copy of the personal data, free of charge and in an electronic format.
The right to erasure
WIf recorded personal data is no longer necessary for the originally intended purpose or if a person withdraws their consent to use their personal data, then the data has to be deleted immediately.
The right to data portability
Under certain circumstances affected individuals have the right to transfer their data from one provider to another ; for instance from one phone provider to another. The data transfer requires a standard and machine-readable format.
The right to be informed
At the time of data collection a company has to inform an affected individual comprehensively about which of their personal information are collected and saved for which purpose. A customer needs to be in the position to consciously decide on this including what kind of information are collected exactly.
The right to object
This describes the right of an individual to stop data processing for the purpose of direct marketing. There are no exceptions to this rule and any further processing is prohibited as soon as the request has been received.
What happens if companies don`t comply with these regulations?
In the future data protection of personal information will gain even more in importance. Companies who don`t comply with the new regulations can be punished with sanctions and fines. The maximum fine can amount to up to 20 million Euro or up to 4% of the overall word-wide annual turnover of the previous financial year, depending on which value is higher.
How can companies best prepare for GDPR?
Obtain information! What does data protection mean exactly? Which processes and procedures are affected? Get advice and support from specialists, who focus on topics such as data protection and information security.
We are happy to provide you with our « GDPR checklist » on request.