Getting ready for GDPR
Published: 01/11/17
Across all sectors, businesses that work with EU-based clients need to be aware of the fast-approaching implementation of the European Union's new GDPR directive.
The directive creates one of the most customer-focused data protection and data privacy legal frameworks to be found anywhere in the world and, for the first time with EU data laws, it is extra-territorial in scope, meaning that your business doesn't have to be in the EU for the law to apply.
Given GDPR's international scope, the team at Jendev has long been aware of the law's new requirements. With the support of Microsoft, which has acted quickly to ensure its Cloud services are fully compliant and that Microsoft Utility Billing partners like Jendev are fully briefed and provided with the tools we need, we have moved fast to ensure our products are compliant in themselves and that they also enable compliance for our clients.
As well as the extra-territorial nature of GDPR, there are a number of 'headline' provisions that all businesses really do need to be aware of:
Customer consent is crucial
GDPR makes it clear that customers must give their consent for data to be held by companies providing them with products or services. That consent must be clear and understandable to the customer, which means that companies need to look at their current consent requests and determine whether they're bogged down in complex legal terminology.
The terms of consent must also be clear and related to the specific data-processing purposes that are needed by the business. It will no longer be possible to use consent as a free pass to use client data in ways beyond the original terms of the consent.
GDPR comes with teeth
Before any business considers cutting corners on GDPR compliance, they should assess the risks because the EU law drafters have ensured that those risks are significant.
The maximum penalty for a breach of GDPR is 4% of annual worldwide turnover or €20 million, whichever is the greater amount. In the event of a breach, the authorities will be looking for evidence of compliance with the law. Those firms that can show they had done things by the book will receive lesser punishments than those that disregarded the new provisions.
At all times, you are the data controller
GDPR is very clear about where responsibility lies for data protection. In short, it lies with you as the organisation entering into agreement with the client. It doesn't matter that you may have engaged a third party to process the data via the Cloud. You remain responsible and so must ensure that you work with partners, like Jendev, that you can trust.
How you comply is up to you
GDPR does not provide information about specific technologies that must be used; instead, it talks about concepts. This leaves organisations able to choose the best road to compliance for their own circumstances.
Naturally, there is much more to GDPR than we can cover here, but if you'd like information about how Jendev is working to ensure its products and clients are GDPR compliant, then please do not hesitate to contact us.