Unit4
Blog

Why is the GDPR so important?

Posted by  Jeroen Bruins Slot

For us, at Unit4, it is paramount to protect the privacy and personal data of our customers and employees. We are aware of the importance of the GDPR and are ready for May 25th. Are you?

The phrase “data is the oil of the 21st century” could not be more true than it is today. For a lot of businesses (personal) data processing is a significant activity. Nearly every company is processing some personal data on a regular basis.

We have heard and talked a lot about the new General Data Protection Regulation over the past few years. Commonly referred to as the GDPR, this is the latest privacy and data protection legislation of the European Union (EU). Big corporations processing personal data as a core component of their business model – like Facebook and Google, take it very seriously of course, creating new tools and dedicated websites explaining how they comply. However, the GDPR has implications for all companies no matter their size. A lot of smaller companies don't even realise they are impacted, which is a dangerous situation to be in, because they could be subject to substantial or even crippling fines.

The GDPR was adopted by the European Parliament and the Council on the 27th of April 2016 and comes into force on the 25th of May 2018. This leaves little time to ensure the rules are understood correctly, to discover what the GDPR means for each specific business and to take the necessary steps to be compliant.

Although the GDPR follows the general EU data protection principles, it creates many new rights for individuals and new obligations for those who process personal data. It also defines what ‘processing’ of personal data means - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Such operations include, among others, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. To put it simply – processing includes everything that is done with personal data by an organization.

The GDPR has a vast territorial scope which is another reason it is receiving so much attention. There are three scenarios:

European organizations

The GDPR applies to the processing of personal data in the context of the activities of any public or private organization (or even a single natural person) in the EU, regardless of whether the processing takes place in the Union or not. So if a company is based within the EU, no matter where around the globe it processes personal data – the GDPR applies to that processing and to the organization (or the person – in case an individual is the processor).

Global reach

The new European data protection law applies to the processing of personal data of data subjects (natural persons) who are in the Union by any public or private organization (or a single natural person) not established in the Union. In this case though, the processing activities must be related to either:

·         the offering of goods or services, irrespective of whether a payment from the individual is required; or

·         the monitoring of their behaviour as far as their behaviour takes place within the Union.

This means, for example, that if a US or Asia based company wants to conduct e-commerce in the EU (for which it needs to process some personal data such as name, shipping address, bank information, etc.), the GDPR applies to it. Furthermore, it applies also if no payment is involved at all, as with Facebook and most of Google’s services.

European territories around the world

The EU data protection Regulation applies also to the processing of personal data by any public or private organization (or a single natural person) not established in the Union, but in a place where Member State law applies by virtue of public international law. An example of such a place is a Member State's diplomatic mission or consular post.

Consequences

Another aspect, which makes the GDPR so important, is the considerable amount of administrative fines non-compliance could subject companies to. Infringements of some provisions are subjected to fines of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For some breaches of the law, the numbers jump up to EUR 20,000,000 or 4% of the turnover for the preceding year.

Reputation

Finally, GDPR compliance is simply good business practice, and good for reputational image. Think of Not-for-Profits managing donor data and Universities taking care of their students. If an organization demonstrates to its customers and partners to be privacy and data protection aware and responsible, they are more likely to continue the relationship and even recommend it to new potential clients. Conversely, if the organization is non-compliant, this might drive customers and partners away or even impact them negatively.

For us, at Unit4, it is paramount to protect the privacy and personal data of our customers and employees. We are aware of the importance of the GDPR and are ready for May 25th. Are you?

Jeroen Bruins Slot

Jeroen joined Unit4 in 2015 as its General Counsel and joined the Global Leadership Team in October 2017. He is responsible for overseeing and identifying legal issues in all departments, as well as corporate governance and compliance. He is experienced in all aspects of business law and compliance including M&A, contract law, employment law, and company secretary duties. Jeroen also has experience in company re-structures, transformations and overall organizational development. Since 2017, Jeroen has also been Chairman of the Unit4 Cares Foundation, which aims to support and raise funds for Unit4 colleagues, their partners or children, affected by critical illness. He graduated with a Master’s degree from Leiden University in 1992.