At CluedIn, we are helping our customers become GDPR compliant by solving the problem of unifying dispersed information, scattered across different systems. We now full teams dedicated to solving the compliance, consultancy and complexity involved with making companies comply to the quite tough EU data regulations.
We thought we would summarize the huge 154 page document into concise points and give you a bit of the history on what got us to this point.
- The GDPR was initially developed with a focus on social networks and cloud providers, but did not consider requirements for handling employee data sufficiently – hence it was revisited to cover this.
- EU citizens no longer have a single Data Protection Agency (DPA) to contact for their concerns, but have to deal with the DPA chosen by the company involved.
- The requirement to have a Data Protection Officer (DPO) is new for many EU countries and criticized by some for its administrative burden.
- The biggest challenge seen so far with the regulation is that the implementation of the GDPR in practice is hard to make technically possible:
- The EU GDPR will require comprehensive changes to business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force.
- There is already a lack of privacy experts and knowledge as of today and new requirements might worsen the situation. Therefore education in data protection and privacy will be a critical factor for the success of the GDPR. It is not possible for a lot of companies to afford or have access to the right people to make sure they are compliant.
The proposal for GDPR was released on 25 January 2012 and the EU Council aimed for formal adoption in early 2016.
The schedule has now changed to:
- 21 October 2013: European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) had its orientation vote.
- 15 December 2015: Negotiations between European Parliament, Council and Commission (Trilogue) have resulted in a joint proposal.
- 17 December 2015: European Parliament’s LIBE committee voted positively on the outcome of the negotiations between the three parties.
- 8 April 2016: Adoption by the Council of the European Union.
- 14 April 2016: Adoption by the European Parliament.
- The regulation entered into force 20 days after its publication in the EU Official Journal on 4 May 2016. Its provisions will be directly applicable in all member states two years after this date.
- It shall apply from 25 May 2018.
For companies wondering what this process will look like. It will essentially involve collaboration between the DPA that a company works with for which you would like them to forget your data. Once this has been established, a person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. In addition, the data must be provided by the controller in a structured and commonly used Open Standard electronic format. This is slightly different to the “Right to Erasure” where the data subject has the right to request erasure of personal data related to them on any one of a number of grounds.
So now that we know more about the process, what happens to companies that do not comply with this process?
- a warning in writing in cases of first and non-intentional non-compliance
- regular periodic data protection audits
- a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
How can we help at CluedIn?
At CluedIn we specialize in integrating data from different systems and merging personal data where we have found that they are connected or affiliated in being a personal identifier. This means that if we take the momentous task of erasing all data on a particular user and all the manual validation involved in that, this is something the CluedIn does for you. Once all your integration points are processed through our processing pipeline we have done all the work necessary to unify a persons data into one easy to access entity. It is also important to mention that this is all done automatically, there is no manual mapping done by you as a customer. This means that for your company to become compliant, it is not months or years of development, but rather, we can have your data unified within weeks.
The easiest way to get started it to book a free consultancy with our Data Protection Officer at CluedIn. You can signup for a free consultancy at https://calendly.com/cluedin/gdpr