No later than 25 May 2018, we, you, and everyone else who does business in the EU, must live by these laws. The laws have consequences for companies both inside and outside of EU — as long as they deal with EU citizens. Before we dive into these consequences, let's touch briefly on the reasoning behind the GDPR.
Why did EU get started with the GDPR in the first place? Actually they had four very good reasons:
Four very noble reasons.
The purpose of GDPR is noble, but what is this 'personal information' precisely? In relation to GDPR 'personal information' is anything that can be linked to an individual. Unless you have anonymized all your data — and that is hardly practical — we're talking about a lot of data. Of course it's highly sensitive data about health, politics, and sex. But also common CRM data — names, addresses, and personal interests. Even a simple sign-up for a newsletter. It's all personal data! And everything you have on record regarding your employees — the current, former, and potential new ones. It's all personal data!
If it's personal data, it must be handled as such. And when you deal with personal data, you have a number of obligations. You must:
I won't dwell on the million euro fines. You've probably already heard enough to understand that EU is serious about this, and intend to hurt those who just ignore the new rules. We believe that the million euro fines will be reserved for companies dealing with personal data as their primary business — not ordinary businesses. But still, if the authorities catch you completely unprepared, or deliberately ignoring the rules, they probably will have an unpleasant present ready for you as well. Add to that the damage it will to your brand, if it becomes public knowledge you are among the bad guys.
Our best advice — and this one you get for free: Don't ignore it! You may not be able, or willing for that matter, to be all green by 25 May 2018. But still, don't ignore it. Get started now. Do your analysis, make your plans, and document what you do. We can't guarantee that this will keep you in the clear. But everything we hear, indicates that showing good faith and willingness to comply, will help you stay on good terms with the authorities.
The obligations related to personal data are challenging. Many companies leave this challenge with IT. In our view 90% of the task is organizational. Understanding your processes, deciding and documenting how each of them should use personal data. Only then — the remaining 10% — is about getting your IT systems ready.
If you are already using Next to store and process personal data — HR documents, payroll slips, contracts, and emails to mention just a few — you need to make sure that the way your Next is setup supports your GDPR compliance. The easiest way is to contact your local Multi Support office and arrange for an assessment.
There is no such thing as a software certification for being GDPR compliant. If anyone tells you differently — they lie! Compliance is more about processes than about software. But of course, the software must be designed so that it can support your compliance efforts — and Next is. We've even added a few last minutes features to be on the safe side.
Getting in control of the personal data in your business systems is a challenge. Securing that your Next Enterprise archive is setup and used in a compliant way, is no small task either. But what about the rest? In our experience the two worst offenders are shared network drives, and the corporate email system.
network drives and email systems, are the worst
Noone — almost noone — are in full control of what personal data resides on their shared network drives, and in their corporate email system. Personal data related to prospects, customers, and suppliers. And especially personal data on employees. If you are, I congratulate you, for being among the select few. If you're not, I encourage you to take a look at our solutions — Next Emails and Next Enterprise Archive. They won't fix everything for you, but will make the process getting there less painful.
The EU personal data protection regulation, may be the end of manual processes, when it comes to handling personal data. Take the process of collecting and evaluating applications for an open position in Your company. Most of that process is probably hand-held. Of course supported by IT tools — Word, Excel, Outlook, and Sharepoint. But unless you handle it in a proper process tool, you'll find it hard to guarantee that no application and no CV resides anywhere in the company, once the selection process is over. And don't forget — the applicants have a right to be forgotten. Of course we are biased, but we believe that more organizations will look to solutions like our Next Processes. For job applications, and many other processes.
PS. If you already use Next, you'll need a signed data processor agreement from us.
You can soon download it from here.