What is GDPR and how Could it Affect ERP?
GDPR, or General Data Protection Regulation, is set to change how a lot of companies, including those who sell and use ERP systems in the EU and who deal with countries in the EU do business, and is all about the privacy of citizens personal data.
This regulation was started as part of a 2012 EU data protection reform meeting agreed upon by the European Commission with a goal of a safer EU in the digital age. The reform was approved in December of 2015 and its main component was the GDPR. This new regulation goes into full effect, and you must be compliant by May 25th, 2018. Here is a little bit of the layout and what you must do to ensure you are completely up to date!
The Function
The GDPR is all about data protection. In an age where everyone is connected online through a myriad of networks, the EU felt a strong need to make sure its citizens knew exactly when their data may be exposed and how. It also opens businesses up to providing visibility on how citizen’s data is collected and processed. The new law focuses on what it calls Processors and Controllers.
A controller is a “person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of processing of personal data” and a processor is a “person, public authority, agency or other bodies which processes personal data on behalf of the controller”. There is now far more legal liability in the case of a data breach for processors. Controllers need to make sure that the contracts with processors are compliant.
If a hack occurs and data is stolen, organizations must notify the correct national bodies within 72 hours of noticing the breach to allow users to take measures to secure their data.
How to get Compliant
A lot of companies that do business with EU citizens have already put forth measures to ensure their compliance with the forthcoming law. Some are sending customers email outlining how their data is used and letting them opt-out of collection and use. Others are contacting users directly to ask if they would like to be removed from their database and explaining the collection to them.
A good start would be to build out a page on your website explaining how your company collects data, what it is used for, and how you ensure that it is secure. You should also provide a support number for questions as well as a way for customers to opt-out and an option for their data to be removed from your databases completely. Remember that consent is now needed to collect and store information, so this won’t necessarily be an easy task.
Non-Compliance Penalties and Fines
Like all new laws and regulations, there are punishments for not complying and the GDPR penalties are a stiff. Fines range from $10 million Euro to 4% of a company’s global annual turnover. This is all based on the severity of the breach and whether the company in question took the proper steps to ensure the data was compliant and followed all regulations up to the time if the hack. Heftier fines will be levied on companies that are wrongly collecting and misusing data as well as not making methods and data collected available to its customers that request it.
A Step Forward
In the end, these new regulations are in the best interest of the consumer. A lot of companies have been following these laws before they were written keeping integrity at the forefront if their dealings. But we all know a few bad apples spoil the bunch. The GDPR keeps businesses honest and citizens safe and educated. In the digital age, we can’t think of anything more important. If you would like more information and complete details on the new regulations, please visit the official EU law database!