25 May 2018 deadline

No later than 25 May 2018, we, you, and everyone else who does business in the EU, must live by these laws. The laws have consequences for companies both inside and outside of EU — as long as they deal with EU citizens. Before we dive into these consequences, let's touch briefly on the reasoning behind the GDPR.

 

Why GDPR in the first place?

Why did EU get started with the GDPR in the first place? Actually they had four very good reasons:

  1. improve the protection of individuals.
  2. regulate the export of personal data to servers outside of EU, where little or no protection exists.
  3. put citizens back in control of their own data, instead of leaving everything to the likes of Facebook and Google.
  4. And believe it or not — to make it easier to be an international business, by creating a single uniform set of rules inside the EU.

Four very noble reasons.


'Personal information' — what is?

The purpose of GDPR is noble, but what is this 'personal information' precisely? In relation to GDPR 'personal information' is anything that can be linked to an individual. Unless you have anonymized all your data — and that is hardly practical — we're talking about a lot of data. Of course it's highly sensitive data about health, politics, and sex. But also common CRM data — names, addresses, and personal interests. Even a simple sign-up for a newsletter. It's all personal data! And everything you have on record regarding your employees — the current, former, and potential new ones. It's all personal data!


Personal data — so what?

If it's personal data, it must be handled as such. And when you deal with personal data, you have a number of obligations. You must:

  1. make sure that you are allowed to collect the data you have (and that you don't use it for anything else)
  2. protect it from being accessed by people with no legitimate cause
  3. get rid of it, when you no longer have a lawful reason to keep it
  4. provide any individual with a list of all information you have within 30 days (and delete everything if the permission is revoked)
  5. inform the authorities within 72h if data is ever exposed

Alarming consequences

I won't dwell on the million euro fines. You've probably already heard enough to understand that EU is serious about this, and intend to hurt those who just ignore the new rules. We believe that the million euro fines will be reserved for companies dealing with personal data as their primary business — not ordinary businesses. But still, if the authorities catch you completely unprepared, or deliberately ignoring the rules, they probably will have an unpleasant present ready for you as well. Add to that the damage it will to your brand, if it becomes public knowledge you are among the bad guys.


Our best advice

Our best advice — and this one you get for free: Don't ignore it! You may not be able, or willing for that matter, to be all green by 25 May 2018. But still, don't ignore it. Get started now. Do your analysis, make your plans, and document what you do. We can't guarantee that this will keep you in the clear. But everything we hear, indicates that showing good faith and willingness to comply, will help you stay on good terms with the authorities.


10% IT — 90% organization

The obligations related to personal data are challenging. Many companies leave this challenge with IT. In our view 90% of the task is organizational. Understanding your processes, deciding and documenting how each of them should use personal data.  Only then — the remaining 10% — is about getting your IT systems ready.


Already using Next Enterprise archive?

If you are already using Next to store and process personal data — HR documents, payroll slips, contracts, and emails to mention just a few — you need to make sure that the way your Next is setup supports your GDPR compliance. The easiest way is to contact your local Multi Support office and arrange for an assessment.


Is Next GDPR compliant?

There is no such thing as a software certification for being GDPR compliant. If anyone tells you differently — they lie! Compliance is more about processes than about software. But of course, the software must be designed so that it can support your compliance efforts — and Next is. We've even added a few last minutes features to be on the safe side.


What about the rest?

Getting in control of the personal data in your business systems is a challenge. Securing that your Next Enterprise archive is setup and used in a compliant way, is no small task either. But what about the rest? In our experience the two worst offenders are shared network drives, and the corporate email system.

network drives and email systems, are the worst 


Personal data in your mailboxes

Noone — almost noone — are in full control of what personal data resides on their shared network drives, and in their corporate email system. Personal data related to prospects, customers, and suppliers. And especially personal data on employees. If you are, I congratulate you, for being among the select few. If you're not, I encourage you to take a look at our solutions — Next Emails and Next Enterprise Archive. They won't fix everything for you, but will make the process getting there less painful.


The end of manual processes

The EU personal data protection regulation, may be the end of manual processes, when it comes to handling personal data. Take the process of collecting and evaluating applications for an open position in Your company. Most of that process is probably hand-held. Of course supported by IT tools — Word, Excel, Outlook, and Sharepoint. But unless you handle it in a proper process tool, you'll find it hard to guarantee that no application and no CV resides anywhere in the company, once the selection process is over. And don't forget — the applicants have a right to be forgotten. Of course we are biased, but we believe that more organizations will look to solutions like our Next Processes. For job applications, and many other processes.


Best of luck

Best of luck with your GDPR efforts. We appreciate it's not a trivial task. Let us know, if we can in any way assist you. And should you choose to ignore it — you'll need all the luck you can get. 

Steen Munksgaard
Product Manager, and GDPR specialist
+41 79 551 71 18
smu@multi-support.com

 

PS. If you already use Next, you'll need a signed data processor agreement from us.
You can soon download it from here.