The new General Data Protection Regulation is tightening up the personal data management practices of organisations in general, and digital players in particular.
When the regulation was published, Cegid began a compliance programme for its own solutions and internal data management is now making its expertise available to its customers. In this document, we will present the content and challenges of GDPR, with a focus on the role of the Data Protection Officer (DPO), and a summary of our expertise in the subject.
The 25th May 2018 saw the introduction of a new EU legislation, General Data Protection Regulation (GDPR), a new law by the European Commission. Its provisions apply in the 28 countries of the European Union to every organisation in the world that provides goods and services to European citizens, and those who store, host and handle the personal data of European residents.
The growing importance of digital technology in individuals’ everyday lives makes it easier for organisations to use personal data. Where their aims are profiling, personalisation and monetisation, these practices need to be adapted, both to improve the protection of individuals’ personal data and to help organisations to introduce standardised and transparent data governance, making it easier to run high value-added analytical programmes (know your customer and personalisation, risk and fraud management, etc.).
The aim of GDPR is to “give control back to citizens over their personal data, while also simplifying the regulatory environment for organisations”. These provisions will profoundly alter the way in which personal data are collected, managed, stored and protected for organisations.
GDPR sets a Europe-wide harmonised regulatory framework which is directly applicable in each of the 28 member states. This common language relating to personal data protection also applies to organisations operating outside the European Union which use data concerning the activities of EU organisations and residents. The following rights have now been strengthened by GDPR:
GDPR also establishes a number of obligations for organisations:
Organisations must now offer individuals more control over their personal data and abide by all these obligations, or risk penalties. As a flagship measure of the new European regulation, the European Commission has significantly increased the penalties which organisations risk if their practices are not compliant. They may have to pay a fine of up to 2% of turnover or €10m (whichever is higher) in the case of a non-compliant organisation, and 4% of turnover or €20m for not respecting internet users’ rights, not to mention any damage to the company's reputation.