How Secure Is European Companies’ Data?
According to a study published in 2016 by Symantec, 92% of all respondents – IT decision makers and company executives – in France are worried about the ability of their company to meet the requirements of the (1)GDPR.
The GDPR went into effect on 24 May 2016 in the European Union through the adoption of European Regulation (EU) No 2016/679 of 27 April 2016. It was accompanied by European directive n° 2016/680 of 27 April 2016 regulating the transfer of data for police and judicial purposes.
The EU directive strengthens the rights of individuals in the field of data protection, and facilitates the free movement of personal data in the digital market. The reform provides for clarity and consistency of rules to be applied by replacing the current mosaic of national laws with a single European legislation.
Who is affected? Applicable to all companies targeting EU consumers, regardless of whether they are established inside or outside the EU. In a number of cases, the obligations are adapted to the size of the firm and / or the nature of the data.
When are the GDPR effective? The provisions of the European Regulation will be directly applicable in all Member States two years after its effective date of 25 May 2018. EU countries will have two years to transpose the provisions of the Directive into their national legislation, i.e. no later than 6 May 2018.
Next steps? Companies will have to do an impact study, make sure to document and test that their compliance efforts meet all aspects of regulations, be it on security, conservation of data, information of concerned persons. In some cases, they will also have to appoint a data protection officer.
The new EU directive regulations are:
- The right to forget (art. 17);
- Better control of parties who hold private data (art. 7);
- Right to pass personal data of an individual to another service provider (art. 20);
- Right to be informed in clear and simple language (art. 12, 13 and 14);
- Right to be informed in case of data piracy (art. 33 and 34);
- Clear limitations to the use of profiling (art. 21);
- Special protection for children (art. 8).
Penalties: Fines of up to 4% of the total global turnover of the company.
This European “personal data package” and its transposition into national (2)laws, has implications for companies whether or not they are based in the European Union, and if they are European or non-EU.
Each of them must comply with the rules on data protection (e.g. customer files, on-line payment security …) and especially when they are transferred outside the EU.
Stefan Petrovski
Supervisor,
qualified Chartered Accountant
International Business Services
(1) General Data Protection Regulation: more information on the European Parliament website, click here
(2) Law n° 2016-1321 of 7 October 2016
