The latest European data protection regulation – Are you ready?
Digitalisation has long been part of our business lives and it continues to progress at breath-taking speed. Thanks to cloud computing, Bring your own Device and the wide availability of IT products, small companies and organisations enjoy opportunities that were previously only available to large enterprises. Today, borders and locations are no longer relevant, customers are at home all over the world, and many of them are from the EU, creating new challenges—especially in data protection
as rules and laws bound to natural or legal persons must be observed.
What is the General Date Protection Regulation?
The General Data Protection Regulation (GDPR) is a European Union provision, standardising the data protection laws of the 27 member states and replacing the previous EU policy. The regulation came into effect on 24 May 2016 and had to be implemented by 25 May 2018.
The GDPR contains a series of new rules leading to data protection processes and systems being reviewed and updated. This has resulted in a new “Path to Compliance” to help stay on the right side of the law in the future, but this inevitably creates problems. The larger the collection of personal data or the more closely the purpose of the organisation is linked to the use of personal data, the more complex these challenges become.
Individuals have new and extensive rights concerning how their personal data is processed:
- Complete right to information regarding the purpose for and the legal basis of processing.
- The right to request the deletion of data if the processing purpose has been fulfilled*.
- The right to transfer processed data to another company.
- The right to correction of information.
* Must happen within a month
IP addresses and cookies are also expressly considered personal data!
Our specialists deal intensively with the topic of GDPR. In cooperation with our partners, we’ll check that your IT is GDPR-compliant. At the same time, our partners will endeavour, wherever possible, to automatically offer you the user GDPR-compliant services.
Here’s a selection:
- Microsoft: Ensures its cloud services are GDPR-compliant (English) These include: O365, Dynamics 365, Azure, SQL Server, Enterprise Mobility + Security, Win10 and M365.
- Adobe: Adobe automatically adopts EU law because its headquarters is located in Ireland. Adobe’s Privacy Center (English) is extensive and provides information on the use, storage and integrity of personal data. Adobe & GDPR Information.
- Oracle: Oracle has been known for its innovative security solutions and data backup for many years. The company supports the discovery and identification of personal data in risk assessments. There are many ways to prevent attacks—from encryption to anonymisation of personal data. Detecting and preventing data breaches is no longer only possible using classic firewalls—Oracle Audit Vault and Database Firewall allow simple and flexible monitoring of existing data. Oracle & GDPR Information (English) Oracle GDPR Webinar Recording (English).
- Trend Micro: In terms of security, this company is already GDPR-compliant. Trend Micro products and solutions cover technical requirements in physical, virtual, cloud-based and hybrid environments—both in data security and in the early detection of reportable incidents.Trend Micro & GDPR Information.
- VMware: The NSX network virtualisation platform allows security tools to be deployed in the data centre network at a fraction of the cost of new hardware. It’s easy to implement and supports you in fulfilling GDPR requirements in your company. VMware & GDPR Information (English).
Does the GDPR only relate to EU customers’ personal data?
At the moment, the answer to this is ‘yes’. Discussions are currently being held in the countries of the European Trade Association (EFTA, the organisation to which Norway, Denmark, Lichtenstein and Switzerland belong) about whether the GDPR will be adopted there as well.
It is not yet clear what the complete spectrum of requirements looks like, because many have yet to be developed. However, the regulation has laid down a number of crucial requirements:
- Data Protection by Design and Data Protection by Default.
- Pseudonymisation and encryption of personal data.
- Appointment of a data protection officer who monitors compliance with the regulations.
- Introduction and implementation of suitable policies and processes.
- Informing the supervisory authorities of a violation of the protection of personal data within 24 hours.
- Prevention of unauthorised access to personal data.