A new data protection law in the EU that will update the existing laws to improve protection of personal data in a more technical world that has more complicated flows of personal data. It replaces the parts of national data protection laws currently in place with one set of rules, directly enforceable in each EU member state.
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
The GDPR provides more privacy rights to EU individuals and places significant obligations on organizations. Some of the key changes are:
Expanded rights for EU individuals:The GDPR provides expanded rights for EU individuals such as deletion, restriction, and portability of personal data.
Compliance obligations:The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
Data breach notification and security:The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
New requirements for profiling and monitoring:The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
Binding Corporate Rules (BCRs):The GDPR officially recognizes BCRs (which Salesforce offers for certain of its services) as a means for organizations to legalize transfers of personal data outside the EU.
Enforcement:Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
One stop shop:The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
What are we doing?
Espresso Solutions welcome the GDPR as a leap forward in bringing data protection requirements and laws up to date and in line with current and oncoming technological standards. Over the coming months, we will be working towards full compliance and should you want to find out more about our processes, you can email [email protected].
All of our customers will be contacted prior to the 25th May 2018 to ask for their consent for marketing communications whilst highlighting the customer data we hold and use in the course of business.
Here are a couple of the tasks we're undertaking whilst working towards compliance;
- Purging our databases of any customer data that is unnecessary for continued business or is outdated
- Checking with our service providers to ensure that they are preparing for GDPR
- Making changes to the way we file and care for physical data in our office
What data we keep and use
Some data that we keep and use is necessary in order for us to do business with our customers. Below is a breakdown of the data we need to keep and what is it used for.
Contact Information // Names, emails & phone numbers
- Used to be able to communicate with customers about order and account issues as well as being used on Invoices
- If you've opted for marketing communications and part updates, we will use your contact information for marketing communications
Professional Information // Company names, VAT information, company registration details and company addresses
- Used toknow what customers are linked to what company accounts and the company details are kept for credit, invoice and business use.