The European General Data Protection Regulation (GDPR) was adopted in April of 2016, forever altering the global digital privacy landscape. Designed to unify the data protection laws across EU member states, GDPR has impacted every entity that holds or uses European personal data both inside and outside of Europe. This means that nearly every website and application in the world has been affected.
Almost every aspect of people’s lives now revolves around data. Services people use every day, like social media and bank applications, collect, store, and analyze personal data. Under GDPR, organizations must ensure that they gather data under strict conditions and protect it from misuse. Lack of compliance could lead to hefty fines of up to €20 million or 4% of annual turnover. Non-compliance could also hurt the reputation and profitability of your company.
GDPR came to be because of public concerns over digital privacy in the EU. GDPR recognizes the rights that citizens have with regards to information that identifies them. The GDPR expands the rights of citizens, also referred to as data subjects, in the following ways:
The focus of the law is not where an organization is located but where the business activity occurs. Any organization that holds data relating to citizens in the EU must comply. This effectively implies that GDPR is a global law. If your organization does business, offers services, or performs activities on behalf of EU citizens, GPDR may apply.
An organization must comply with GDPR if it has more than 250 employees. An organization that has fewer than 250 employees must be compliant if its data processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
The process of developing and maintaining a GDPR compliance plan should include representatives from legal, IT, HR, and other departments. Data must be identified, tracked, and documented, along with the purpose for its use, the location where it is stored, and the names of anyone who has access to the data. An organization’s technology processes will likely need to change in order to ensure that it maintains compliance with GDPR.
Organizations in the EU or outside of the EU that process personal data for the offering of goods and services to the EU, or that monitor the behavior of data subjects in the EU, should appoint a data protection officer to be responsible for GDPR and act as a point of contact for the Data Protection Authority (DPA) and data subjects.
Few organizations have identified every single process that involves personal data. Organizations with IT systems ought to go through their entire system portfolio to ensure that all of the systems are compliant with GDPR regulations. It’s important to note, however, that it is organizations that need to be GDPR-compliant—not systems, applications, platforms, or databases.
Organizations should be prepared to respond to data subjects exercising their rights under the GDPR. Companies should be ready to handle data breach incidents and implement additional controls to adequately respond to data subjects who exercise their rights.
Add-On Products’ resource booking software Resource Central, which is based on Microsoft Outlook® and Exchange, adheres to Microsoft’s relevant GDPR settings. Resource Central can currently be configured as GDPR compliant by skilled database professionals. We determine where EU citizen data resides in Resource Central database tables and then construct relevant tools for our customers to enable them to comply with GDPR.
Let us help you stay compliant with GDPR, so you can be freed up to focus on your core business activities. To learn more about our GDPR compliant software for resource booking and digital signage management, please sign up for a free trial or free online demo today!