EU General Data Protection Regulation – Consequences for Businesses
All companies processing personal data automatically are subject to the regulation, including non-European businesses which offer services or products on the European market. The EU GDPR applies to data giants, such as Facebook, as well as to countless small businesses. From now on, they all have to adhere to stricter documentation and accountability obligations.
If you would for example like to save and use personal data, such as a person’s name, e-mail address or telephone number, the person’s consent must be producible. In addition, any use of personal data must be documented in a registry – many businesses are still unsure how to technically implement such a complex registry of activities.
Moreover, data can as of now only be used for a specific purpose: If a customer provided their address for a delivery, for example, the business cannot send advertising mail to the address. Furthermore, if at least ten persons in a company are permanently concerned with the automated processing of personal data, a data security officer must be reported to the regional authority.
EU GDPR – Consequences for Private Persons
Private persons, on the other hand, have the right to know what personal data is saved and used in which form. Upon request, this information is to be provided “in a precise, transparent, understandable and easily accessible manner, in clear and simple language” according to the regulation’s article 12. The Veritas Consumer Study 2018 has shown that 68% of respondents will request information from businesses what personal data has been saved and 72% want to make use of their Right to be Forgotten, which means that they will ask a business to delete all of their personal data stored.
The majority of requests (57%) will be addressed to social media services, however, still 23% stated, that they will make use of their new data rights in the health sector.
How Well are German Businesses Prepared for EU General Data Protection Regulation?
According to a survey by the eco association, only 13% of German businesses think that they are legally sufficiently prepared for the new EU General Data Protection Regulation. Manfred Steinritz, CEO of the Düsseldorf Chamber of Crafts, points out that there is great uncertainty, especially among the smallest companies. Instead of panicking, Steinritz advises to check for which data the required consent is available and what data is needed in the first place.
What are the Sanctions for a Breach of EU GDPR?
Compliance with the EU GDPR is supervised by the responsible Data Protection Authorities. In addition to sampling, special attention is generally paid to reports made to the authorities directly, for example by a worried private person, a responsible of a German Data Protection Authority says.
In case a data mishap occurs, the institution has to report the incident to the responsible authority within 72 hours. Breaches of the EU General Data Protection Regulation are sanctioned with fines of up to 4% of a business‘s annual global turnover and a maximum of 20 million Euros.
- Image 1: © skylarvision | pixabay.com