On May 25th, 2018, the new General Data Protection Regulation (GDPR) officially took effect. This piece of legislation is critical to various industries and businesses, but what exactly does it encompass?
GDPR’s primary goal is to protect individuals, specifically in the European Union (EU), when it comes to their personal information. It safeguards EU clients by ensuring that businesses use and store data properly.
Specifically, GDPR establishes the responsibility of data processing between two parties, “controllers” and “processors.” The “controller” is essentially the original “owner” of the data and is held accountable for defining how the data will be used. In contrast, the “processor” enforces GDPR compliance by effectively managing and storing the data.
The new GDPR replaces the Data Protection Act of 1998 by updating regulations of how personal data is handled. A major influence of GDPR is the world’s growth in the digital space, which leaves room for misuse of data and unfortunately even data breaches. With GDPR, businesses need to know where their client’s data is stored at all times, and should take into consideration all risks that may arise in every data processing activity.
There is a misconception that GDPR compliance only applies to businesses in the EU, however that is not the case. According to the territorial scope, any U.S.-based company that uses the internet to market their products and services, or that maintains a web-presence, needs to be compliant.
In particular, this applies to businesses that collect “ personal data or behavioral information from someone in an EU country.” It is important to note that an individual does not have to buy a product or service to be protected by GDPR.
No matter where your company is located, if you serve EU individuals or have the potential of gathering data from the EU, you are subject to hefty, non-compliant fines.
Many businesses that use outsourcing are concerned that GDPR will affect third-party relationships. GDPR compliance merely means that both you and your outsourcer need transparency when it comes to data processing systems. More than likely, reliable and professional outsourcers already have required data protection systems in place. Great outsourcing companies will be willing to demonstrate they are GDPR-compliant, and how they can help you fulfill compliance.
By working with a GDPR-ready outsourcing company, data controllers will ensure that data processing activities are handled in an appropriate manner. After all, according to GDPR, data processors (which includes outsourcers) acquire legal responsibility in relation to processing personal data. This encourages outsourcers to improve the security of the personal data you put in their hands. By outsourcing, it also makes it easier and economical for you to meet your security obligation.
Again, effective outsourcers will likely already have systems in place to facilitate the recovery of specific personal data, as well as have the ability to amend, rectify, transfer, and delete personal data. Effective outsourcing partners will have control of the processing of personal data for specified purposes only.
An additional benefit of working with a good outsourcer is that they will be willing to work with you to guide, manage, and adjust your data processing systems to establish appropriate security and organizational procedures. Outsourcing providers should give you peace of mind when it comes to complying with additional obligations, and ensuring you minimize the risk related to personal data processing.
While relationships with outsourcers remain mostly unaffected, there are some changes to outsourcing contracts that should be deliberated.
There needs to be a written agreement in place with all data processors, which again includes outsourcing partners. These agreements should include the following:
Ensure that your written agreement includes the appropriate rights for you.
Review current contracts and adjust contract renewals as needed.
It may be overwhelming to think about the implications that non-compliance can lead to. GDPR fines are estimated to go up to 20 million Euros or four percent of annual global turnover (whichever is highest). That is about $2.2 million!
It’s easy to say that you know where all your data is, but do you really know where it is at all times? Say an employee downloads customer data from a work computer onto a flash drive to complete a task later at home. There’s no ill-intent, but the data may no longer be secure which effectively causes your company to fall under non-compliance. The penalties are too impactful to take the risk.
At DDC, we have already been working with our existing partners to ensure that our joint obligations are met, and that both parties have lawful processing and security of personal data.
Effectively manage your GDPR risk and comply now without the stress of doing it on your own.
RiskView gathers data from individual computers, analyzes its risk profile, and grades it according to the amount of non-compliant data held. RiskView’s assessments provide an audit trail that demonstrates care and progress in regulatory areas. This allows your business to report risk with confidence and provide evidence to satisfy GDPR review.
At DDC OS USA, we take data security seriously. We work hard to provide you the confidence you need to know your data is protected, while providing high-quality work as well as time- and cost-savings. We’re ready to partner with you for all your data processing needs.