At Paloma, we are working intensively to ensure that our business complies with EU's new general data protection regulation, which enters into force on 25 May 2018. We get a lot of questions from our customers about what the new regulation entails, what we’re doing, what you need to do, and who is responsible for what. We have sorted it all out below.
1) When will the new General Data Protection Regulation come into force?
On 25 May 2018.
2) What does it imply?
Significantly stricter requirements on personal data management. Among other things, it requires new procedures and processes for secure management of personal data registries.
3) To whom does the regulation apply?
All organisations and industries that store, or in any way manage, personal information about their employees or customers.
4) What happens if the regulation is not complied with...?
If a company violates the legal requirement, it may be subject to fines of up to EUR 20 million or 4 percent of the parent company's global revenues. The Swedish Data Protection Authority is likely to, in relation to the Personal Data Act, tighten supervision.
5) What is the purpose of the regulation?
Among other things, the EU wants to ensure a high level of protection for its citizens, adapted to the rapid technological development. The EU also wants to safeguard citizens’ integrity protection under the European Convention, which states that “everyone is entitled to respect for their privacy”.
6) What is defined as personal data?
An identified or identifiable physical person (living). Names, images, IP addresses, DNA, etc. All kinds of information, really, that directly or indirectly can be attributed to a living, physical person.
7) What happens with PUL, the Personal Data Act?
The new General Data Protection Regulation replaces PUL.
8) What are the major changes?
Among other things, the possibility of greater transparency for each citizen. Any data subject must, at any time, be able to obtain information about what data each company has on his or her. In addition, any data subject is entitled to have his or her data corrected or forgotten; in other words, deleted from a company's registry, etc.
9) How is consent formulated in the regulation?
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
10) If the processing of the customer serves several purposes? How does it work then?
In that case, consent should be given by the customer for all purposes.
11) How will the regulation affect companies’ use of social media, such as Facebook, YouTube, Instagram, LinkedIn, etc.?
Companies are responsible for both their own and other users’ publication on social media. However, responsibility is affected by, for example, the ability to delete user publications or disable features, such as commentary, etc. A number of other measures in the area of social media will also be required.
12) How can each company, organisation, and industry prepare?
Each company and organisation must comply with the General Data Protection Regulation, which, in most cases, involves major transitions. The time has come to review current personal data management, and create processes, procedures, and quality assurance systems in order to meet the requirements of the new regulation.