EU General Data Protection Regulation Comes Into Force On May 24, 2016news
With yesterday the new EU general data protection regulation came into force. The objective is to set a high and unified data protection for the whole European Union. Affected are all companies, that process personal data from EU-citizens – therefore international data-giants as Google, Facebook & Co. are regulated by this law as well. Next to data protection issues like the “Right to be forgotten”-principle, the new regulation emphasizes the importance of data security. From May 25, 2018 all affected companies and their applications need to prove and document organizational and technical protection measures regarding personal data. In case of violation, the penalty will be measured by the preparations the respective company took, but can also lead up to 20 million Euro or four percent of the worldwide prior-year-sales.
Given the short realization period of just two years, SEC Consult recommends:
1. Start a Risk Analysis and Prepare an Implementation Plan – NOW!
Companies should start to deal with the new organizational and technical legal requirements as soon as possible. First to budget possible financial investments and second to have enough time for the implementation. “The very first step needs to be a comprehensive analysis. What kind of personal data do you have and how are they classified? How high is the risk? Which protection measures are already implemented? Using these answers we are able to derive necessary actions”, says Markus Robin.
2. Find an Implementation-Partner
“The new penalty height corresponds to several annual IT-budgets – negligence can’t be settled out of the petty cash anymore. For a gapless implementation of the needed requirements companies should find legal and security assistance from experts”, Robin advices. SEC Consult itself works closely with lawyers and offers comprehensive consultation next to informative risk analysis as well as implementation of security measures.
FACTS & FIGURES // EU GENERAL DATA PROTECTION REGULATION
- Is part of the EU data privacy reform
- Came into force on May 24, 2016
- Validity with May 25, 2018 (two year realisation period)
- Objective: Standardization of a high data protection level for the whole European Union
- All companies are affected, that process personal data from EU-citizens – therefore international data-giants as Google, Facebook & Co. are also regulated by this law
- Companies must meet organizational and technical protection measures in the areas of privacy and data security – proven and documented
- Companies need to have a “risk-accurate protection level”
- Massive penalty-increase: depending on the violation up to 20 million Euro or four percent of the prior-year-sales; but penalty will be measured by the preparations the respective company took