Have you heard that the European Data Protection rules are changing with effect from 25th May 2018 ? If you haven’t it’s time to get yourself informed as it’s coming round quickly. Why should you be concerned? If you are business you will need to start conforming to the new rules to avoid sanctions. If you are an individual it’s time we all woke up and realized what is happening with our information to ensure that the cyber-attacks and hacking of our personal information ceases.
So in view of this, I went along to a recent meeting at the Skema Business school to look at the changes and how it would affect LBS as we take our clients information very seriously. Of course having been to the meeting I thought it was important to ensure that all of my business clients are aware of the impact of this new rule, from both a business and personal perspective. It was an interesting meeting, slightly complicated (nothing is easy in France is it?). Interestingly enough, there were many small businesses like myself very worried about its application to small businesses, the sanctions and where to start. So let’s see how I can simplify this for you.
Who does this apply to?
Any organization that recuperates or has personal data for their customers who are in the EU. This means that the company may not necessarily be in the EU but if a resident of an EU country is targeted by this company, then the company has to take the necessary steps to conform to the EU regulations. So the UBERs and large multi-corporates will be affected by this.
Is it one rule for all?
Well the rules apply to all and this is irrespective of the size of the company, the domain of activity, whether it’s private or public, an association or independent businesses, sub-contractors and suppliers. However, it is the characteristics of the personal information that will determine the amount of work to be accomplished by the company ie dealing with the medical records of customers must be highly secured in comparison to the name and email in a mailing list. Larger companies will need to name a Data Protection Officer who will have the role of auditing the company’s data protection rules and applying the new ones. Sub-contractors and suppliers are affected and should respect the data protection rules of the company that they are sub-contracting or providing services for.
Sanctions can go up to 4% of the worldwide earnings of the company or 20 million euros. Obviously we are talking big companies here but the key word to keep in mind when thinking about this is ACCOUNTABILITY. You need to be accountable to your customers and ensure that even if your data protection isn’t perfect, that you make steps each day to improve.
What simple steps can you start taking now?
- Evaluate the current personal data you hold (emails, contacts, telephone numbers, etc)
- What is the purpose of having this information?
- Where is this information stored? If it’s in the Cloud, check their data protection rules
- Do you update your passwords regularly? If not, it should be done every 6 months maximum
- Ensure that you have complicated passwords, not your date of birth !
- Ensure you have a confidentiality agreement in place with your subcontractors
- Document your findings and your action to improve your data protection
- The feedback from the CNIL was to work with European domain providers.
So that is a small overview of a very complicated situation but I hope it will start to build your awareness.
Here is a link to the CNIL website where you will find lots of information on the subject. If you need any help understanding how this can affect you, then please contact us. If you have found this useful, please let us know and drop us a message on the facebook page and dont forget to ask to join our newsletter.