The European Union’s general data protection regulation (GDPR) will change the use of data throughout the EU. The regulation increases the rights of the individual to manage their own personal data and harmonizes legislation in the EU. The regulation was already in force in 2016. Currently, there’s a transition period going on, and which is due to expire in May 2018. At that time, the processing of personal data in organizations must comply with the regulation.
This regulation introduces new responsibilities for data controllers and data processors. Perhaps the most significant change is a duty to evidence. It means that each organization must be able to prove its compliance with the principles of personal data processing. In practice, it means documenting: it is no longer enough to say that you follow the law, you must be able to show that you do.
“We have started to learn about this in a timely manner. A comprehensive mapping project is well underway. The next step is to make technical changes to software – while documenting, documenting and documenting. There is still a lot to be done, but our plan is that by the end of May we are ready,” says coordinator Minna Nousiainen.
Her feelings are that the awareness of the new regulation is quite good in most organizations, but perhaps not everywhere fully understands how widespread and work-intensive it is in the end.
“Many see the privacy regulation as a burden, but I consider it an opportunity for image and marketing advantage,” she says.
Compliance with the EU regulation is encouraged by a high risk of fines. It can be up to 20 million euros or four percent of net sales.
Personal information for a specific purpose only
Legislation has not allowed the filing of personal registers without a good reason in the past either. Now, for example, the controller has to go through what data is collected, from where and for what purpose, on what basis, where and how long data is stored and how it is secured. In the future, only the necessary information will be collected.
The programs developed by Finnish Net Solutions (FNS), like Provet Cloud, are used to process personal data. Now the company assesses, among other factors, the risks associated with the software. The necessary technical changes are made and ensures that in the future, data protection and security will be built into the software development process.
“Our customers are data controllers, so they have those certain responsibilities of the controller. They also have an obligation to provide information to their customers. This means, among other things, that their website should contain a Privacy Statement or a Privacy Notice explaining the rights of the data subject,” Nousiainen says.
The data subject has a right to access their own data, a right to be informed about a security breach, a right to rectify and transfer the data to another system and also to remove them, except in the case of a statutory registry.
“In all of these issues, we help our customers. We will counsel as much as we can – and we already have received quite a number of questions. We will also make agreements on the processing of personal data or clarify existing agreements,” says Minna Nousiainen.
As a new service, FNS provides the current status mapping. It includes a launch meeting, mapping carried out by an expert, a review of the results, and suggestions for action.
The GDPR applies to everyone in FNS. Everyone must at least be aware of its requirements at some level. The staff will receive the necessary training so that customer service representatives can answer customer questions, sellers understand the new contractual requirements, and software developers know what features must be included when the new regulation comes into force.