Since May 25, 2018, the General Data Protection Regulation is applicable in the European Union. Even if you don’t live there, this new regulation may impact your company. What is GDPR? Who does it impact? Read on to get answers to your questions.
|Receive all information on ECM & GDPR:
Subscribe to our newsletter!
General Data Protection Regulation: What is it?
The General Data Protection Regulation (GDPR) is a European directive regarding personal data published in 2016. It will become applicable in EU member states on May 25, 2018. GDPR aims at reinforcing the importance of data protection with those who process and store personal data, and to make companies aware of their responsibilities.
This regulation reinforces the key principles of the Data Protection Act of 6 January 1978 and increases citizens’ rights by giving them more control over their personal data. GDPR includes new obligations for the portability of personal data and the accountability of data’s depositary. Most current preliminary formalities (like statements and authorizations) to the French Data Protection Authority will disappear.
Now, organizations that handle data have to respect the law during the whole lifecycle of data. This is very important because the General Data Protection Regulation reinforces the sanctions of National Data Protection Authorities.
So, how does this new regulation impact non-European companies? If you process and store data for European citizens—GDPR also affects you. This regulation has huge impact on marketers that use personal data in campaigns.
GDPR observes six principles:
- The transparency towards the affected person.
- The limitation of the aim of the data’s gathering (which has to be explicit and lawful).
- The minimization of the quantity of collected data.
- The correction and the update of data.
- The restriction of the storage time regarding the aim.
- The security of data to protect them of the loss, damage or criminal use.
These principles are guaranteed by accountability. This refers to the responsibility of every part in front of the General Data Protection Regulation principles. From now, companies have to prove their conformity to GDPR.
General Data Protection Regulation: what does it impacted?
What is a personal data?
A personal data is every information related to a person liable to be identified, directly or indirectly.
Examples: a name, a picture, a print, an address, an e-mail address, a phone number, a social security number, an IP address, a voice note… No matter if these pieces of information are confidential or public.
Where can I find them?
An individual is related to many data depending of his identity, place, money, content, communication, behavior and health. This data can be find everywhere around him.
- About his identity
- With logins : name, e-mail address, phone number, pseudonym, IP address
- With biometry : sex, age, DNA
- With ideology : interests, opinions, religion
- About his place
- With geolocation : trips, habits
- About his money
- With income
- With deals
- About his content
- With medias : pictures, videos, podcasts
- With talks : metadata, SMS, phone calls
- About his communication
- With connections : family, contacts
- Social networks: interest, groups, opinions, etc.
- About behavior
- About consumption
- Medical files: treatments, diseases, etc.
What do I need to check?
For this, it’s important to understand the difference of an on-premise and a cloud data management solution.
With on-premise data management, you are responsible for:
- Data classification & accountability
- Client & end-point protection
- Identity & access management
- Application level controls
- Network controls
- Host infrastructures
- Physical infrastructures
To sum up: EVERYTHING!
Whereas, with a cloud data management solution, you are responsible for your data and its processing, including how you collect, store and get consent to use personal data.
Your cloud provider is responsible for application-level controls, network controls, host infrastructure and physical security. With Elise Cloud ECM by NeoLedge, you benefit from tools that help you in your data’s processing. You can search and extract personal data of a person who made the application. And you can delete this data while having a record of this deletion. NeoLedge guarantees you the privacy of data we access as part of our operations. We inform you of every safety violation immediately (even if this is not our fault).
Read more: 4 benefits of a Cloud-Based ECM solution
To conclude, with the cloud it become easier to be GDPR compliant because you have fewer obligations weighing on you. The infrastructure’s safety and security are the cloud provider’s responsibility—not yours—ensuring against security flaws and risks of leaks. You are only responsible for how you collect data and what you do with it. Also, it become easier to respond to new customer’s rights.
General Data Protection Regulation: who is impacted?
The GDPR doesn’t only target European companies. Indeed, companies which have activities or establishments based in Europe or selling goods and services to European citizens must be GDPR compliant if they collect data about their customers.
The GDPR is applicable in every organization, no matter its activity, size or field, where processing and storage of personal data occurs, automated or not. There are reductions for companies with fewer than 250 employees.
The GDPR applies if:
- The organization or the subcontractor (if handling the organization’s data) is established in one of the EU member’s territory.
- The organization or the subcontractor supplies goods or services to European citizens, with or without payment.
- The organization or the subcontractor uses data to target European citizens and if the final behavior (buy, visit a shop, etc.) takes place in the European Union.
The GDPR doesn’t apply for processing:
- Activities that do not fall within the scope of European law.
- Made by states’ members about the policies on borders’ controls, asylum and immigration.
- Implemented as part of a personal activity, like a personal directory.
- Made by appropriate authorities about prevention and detection of criminal offenses, investigations and criminal penalties. Even about the protection against threats about public safety and their prevention.
Even if the General Data Protection Regulation is a European directive, it does impact any foreign company that handles European citizens’ data. You must be aware of these changes to facilitate your adaptation. ECM cloud solutions, like Elise by NeoLedge, can be the answer because the infrastructure is the responsibility of the cloud provider.
Do you want to become GDPR compliant? Our team is here to advise and help you. Learn more about our GDPR-compliant Elise Cloud ECM solution.