Welcome to the world of GDPR
GDPR is a new and complex environment for European companies (as well as non-European), and as of May 25, 2018 this also means Switzerland or any company located outside of the European Union dealing with the European Union in general. You may therefore have to understand as soon as possible whether this important piece of legislation applies to your company, association or foundation. Further if GDPR applies, you may not know yet what process you need to follow to comply.
The acronym GDPR means: “G” and “R” stand for General Regulation, a legal European Union class of documents which means that the 88-page legislation applies since May 25, 2018, directly in the 28 states of the European Union without the need to be embodied into national law in each member state. “D” and “P” stand for Data Protection, as this regulation is about the protection of European Union natural persons’ personal data.
OK, this concerns only the European Union, or what?
In fact, even though GDPR is a European Union regulation, the law does or will apply to, for example, Swiss organizations, either directly since May 25, 2018, or indirectly in a short while. First, all organizations that maintain relationships with customers or suppliers based in the European Union have collected the personal data of the natural persons representing, or working for, these customers or suppliers or prospects. As a consequence, they need to comply with GDPR since May 25, 2018.
Indeed, the GDPR goes by two definitions of territorial application. First is the geographical location of the organization or group of organizations (not only the registered headquarters) which process the data: if it is located within the European Union, or if it has the data processed by a sub-contractor located within the EU, GDPR applies. But the second principle goes much farther: it applies to any organization, whatever the location, if the personal data being processed belongs to natural persons located within the European Union.
Moreover, in the case of USA, organizations based in this country may not be subjected to the GDPR because they do not collect or process personal data of EU-based persons at this time. However, they need to plan to comply with GDPR main rules anyway because we expect that many states will enact similar regulation in the next two years.
USA has to follow the European Union because otherwise it would lose the current benefit of the equivalence decision it received from the European Union concerning data protection, and losing such status would create many obstacles and complications when transferring personal data between the EU and the USA.
Are compliance solutions more technically- or more legally-based?
GDPR is a complex piece of legislation because it presents a novel approach to personal data protection by the European Union. First, this body of law reinforces the rights of natural persons over their personal data. Second, it creates many new obligations for data processing organizations (“data processors” in GDPR). Such obligations are both technical and legal in contents. Therefore, the GDPR compliance process cannot be complete if the project is not based on both information technology and legal expertise.
Further, the GDPR “philosophy” does not impose clear obligations when specified conditions are fulfilled, as did the previous legislation. On the contrary, with GDPR the European Union is aiming at making companies and other organizations creating or exploiting databases concerning natural persons behave responsibly, by forcing them to design and implement a bespoke compliance program which must be proactive and durable.
Both of the founders of LegIT-Team have spent most of their careers with multinational companies, within the legal department for one and the information technologies department for the other. After the GDP regulation was published in 2016, they took to studying the text in parallel ways and came to the conclusion that they needed to team up and share their respective competencies as the only way to offer companies, associations and foundations complete and expert solutions for compliance processes.
Make your life simpler with LegIT-Team!
As mentioned above, GDPR requires organizations to take “appropriate measures to guarantee the security of personal data and the rights of natural persons.” However, if the regulation lists a number of examples and minimum measures, it never specifies exactly what applies to which organization as this depends on diverse factors, some known, and some still to be defined.
GDPR aims at being adaptable, in order not to be made obsolete by technology progress. This is obviously a complication because an open or adaptable legislation means a lot of questions and few immediate answers.
Indeed, each organization will have to dedicate important resources to, first, master the contents of the regulation, second, make an inventory of what does already exists within the organization and of the risks this represents in the light of GDPR, and third determine what internal procedures need to be created and enforced, what training is to be provided to staff and what permanent control systems are to be implemented.
LegIT-Team has already achieved all the preparatory work and offers clear and individualized solutions that will not distract the valuable resources of your organization. LegIT-Team guides you and supplies you with the tools necessary and useful to manage this new enterprise risk:
- • the initial audit tools to determine the immediate actions that need implemented,
- • the different documentation and procedure templates that need created,
- • the control and update programs,
- • the training modules adapted to your staff,
- • the legal and technological alert services to ensure that your enterprise
- remains compliant in all respects, year after year,
- • the outsourcing of the Data Protection Officer role imposed by the Regulation.
Contact us at firstname.lastname@example.org for more information.