GDPR – what you need to know about the data protection regulation
GDPR (EU General Data Protection Regulation) came into effect on 28 May 2018, replacing the EU Data Protection Directive (95/46/EC) in place since 1995. But what does this mean for you and your company?
The GDPR contains lots of new updates regarding use and storage of personal data. Companies with a certain amount of employees who regularly process personal information are now obliged to operate a data protection management system. They must use this to secure and protect personal information. Anyone breaching the stipulations of the GDPR will be charged significant fines which, as well as financial losses, can lead to loss of reputation for a company.
What does this actually mean for you and your company?
The German Federal Data Protection Act (Sec. 64 BDSG (new)) stipulates that companies and public institutions which collect, process or use personal data themselves or on behalf of another party, shall observe the technical and organisational measures contained therein. This includes all measures which are necessary for guaranteeing observance of the stipulations of this act. As soon as personal data are collected, processed or used, the affected party must be informed immediately according to the GDPR’s obligation to inform. The consent of said party must also be obtained. Previously, breaches of data protection were often treated as trivial offences and as such the penalties were minimal. The new GDPR has brought an end to that. Specifically, it states that: fines according to the new regulations shall in each individual case be effective and proportionate and shall act as a deterrent. Offenders risk fines of up to €20,000,000 or in case of a large company up to 4% of the total value of global annual turnover. The actual penalty will be whichever sum is higher. Any person who works with personal data in a professional context would be well advised to familiarise himself with the new stipulations in order to avoid a penalty.
Personal Information Should be Protected
CEOS of companies are generally required as part of their duty of care to prevent any misuse of data entrusted to them. If personal data is nevertheless lost, this must be reported to the supervisory body within 72 hours. The affected group of persons must also be informed of any loss of data immediately on the grounds of the obligation to inform , unless the loss of such data is considered low risk. If the affected group of persons suffers damages as a result of loss of data (material or immaterial), they shall have a claim to damage compensation according to Art. 82(1) GDPR. Alternatively, injunctive relief may also be enforced against the processor.
Applicability of GDPR for Small Companies
Companies with fewer than ten employees who regularly handle personal information previously did not have to employ a Data Protection Officer (Sec. 38 BDSG-new) or a procedure log (Sec. 70 BDSG-new). With the new GDPR, this is now obligatory. Implementation of the stipulations of the new data protection regulation is especially difficult for small and medium-sized enterprises (SMEs). Adhering to the GDPR, for example in terms of secure storage of client data, may become a problem for SMEs. TeamDrive can help you here!
What does GDPR mean for private individuals?
Private individuals have also acquired new rights for their private sphere with the GDPR. One addition is the obligation to inform for website operators in the EU. These operators are now obliged to provide users with information on Cookies stored and also to obtain consent for their use. There is also now the right to be forgotten. This right concerns the withdrawal of consent to collect, store and process user data on a website. If the website visitor wishes to enforce this right, the website operator must delete these data immediately. But these provisions do not just apply to the digital world. In the offline world, too, customers have the opportunity to request information about the user of their personal data.
GDPR and Legally Secure Cloud Computing
Many companies store the clients’ personal information in the cloud. If you are one of these, you should check where the cloud service provider has its headquarters and where its data centre is located. If your cloud provider is in the European Union, you must sign an Order Processing Agreement with them. You are also obliged to regularly inspect the technical and organisational data protection measures of the cloud provider. If your cloud provider is located outside of the EU, e.g in the USA, you should consider switching. That is because if personal data is transferred to third-party countries outside of the EU, you have to inform the affected persons of this and obtain their consent to do this. You also have to ensure that the cloud provider in this third-party country adheres to the standards of the GDPR and also monitors its adherence!
GDPR-Compliant Cloud Solution with TeamDrive
Using the end-to-end encryption (AES 256-Bit) applied in TeamDrive, your data are protected at all times against unauthorised third-party access, according to the current state of the art security standards, the entire way from your computer or mobile device to the server. This reduces the risk of fines and obligations to inform in case of damages and protects not just your data but also your employees (e.g. your Data Protection Officer or your CEO). Countless customers put a lot of emphasis on their data remaining within Germany. Data hosted in Germany has to satisfy the data protection and security standards of German law. Unlike Microsoft, Dropbox, Google, Amazon or Apple, TeamDrive Systems GmbH stores data and documents for its customers in data centres located exclusively in Germany. Public authorities and companies must be able to prove the security of their data processing systems at all times. This ultimately means satisfying the principles of data protection by design and data protection by default. For this purpose, This has also been certified with the EuroPriSe privacy seal, which stands as proof of quality for data security.
The Additional ePrivacy Directive
The ePrivacy Directive makes the GDPR more specific with regards to stipulations for software that complies with data protection. Additionally, the previously applicable E-Privacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC) will be repealed. The directive stipulates new regulations on the protection of users and their data online. For example, regulations on working with cookies will be simplified and data security for communication services like WhatsApp will be expanded. The aim is to ensure confidentiality in electronic communication across Europe and to regulate the handling of personal data online.
The original plan was for the ePrivacy Reform to come into effect together with the GDPR. However, the deadline has now been postponed, in part due to the formation of a government in Germany. Since the current draft of the directive still has to be ratified by the European Parliament and European Council, the directive is not expected to come into effect until 2019 at the earliest.
More detailed blogs:
- Privacy – A term that the whole world speaks about
- Personal data: Definition and legal situation
- The ePrivacy Regulation and GDPR as a precursor to a secure Internet
For more detailed information, please request our whitepaper on cloud collaboration according to GDPR.
Further knowledge from the topics of GDPR and ePrivacy
With the introduction of the General Data Protection Regulation, DSGVO for short, extended requirements came into effect, especially with regard to personal data protection - including sensitive sanctions for violations of the law.
Read here what effects the GDPR has on you and your company.
The ePrivacy Regulation, which is still a work in progress at the moment, will also be discussed, but will in future formulate binding data protection rules that will apply within the EU.
Further knowledge in the areas of data transfer and data storage
In the beginning, cloud computing was primarily understood to mean the provision of storage volumes via central data centers. Instead of buying storage, you could rent storage flexibly and as needed.
This continues to happen today in varying degrees, but the offering has been expanded to include numerous other interesting services from cloud providers.
A backup is a backup copy of data that can be used to restore data if the original data is damaged, deleted or encrypted.
In the best case scenario, a backup should be stored in a different location than the original data itself - ideally in a cloud. You can find out why this is the case and what this has to do with ransomware attacks here.
According to the Principles of Proper Accounting (GoBD), data and documents that are to be recognized by the tax authorities for tax evidence must be handled in a special way.
We will explain to you the most important facts about archiving and storing electronic documents.
In the digital age, data protection and data security play an outstanding role.
To ensure that electronic data cannot be viewed by third parties and to prevent data misuse, it must be encrypted. This applies both to their storage and, above all, to their transport via the public Internet.
You can get deeper insights into the topic of encryption here.
Ransomware attacks have increased significantly in recent years. After a successful attack, all data on your computer is encrypted. From this moment on you no longer have any access options. The economic damage to companies is often enormous.
Find out here how you can protect yourself against digital blackmail.
Especially with software that is intended to protect your users' data from unauthorized access by third parties, software and data security must be taken into account and integrated into the entire software life cycle.
You can find out why this is very important and how you as a user benefit from it here.