Why is the GDPR So Important? Europe from Unit4 Communications February 23, 2018 | 4 min read Share Originally posted 23 February 2018 For us, at Unit4, it is paramount to protect the privacy and personal data of our customers and employees. We are aware of the importance of the GDPR and are ready for May 25th. Are you? The phrase “data is the oil of the 21st century” could not be more true than it is today. For a lot of businesses (personal) data processing is a significant activity. Nearly every company is processing some personal data on a regular basis. We have heard and talked a lot about the new General Data Protection Regulation over the past few years. Commonly referred to as the GDPR, this is the latest privacy and data protection legislation of the European Union (EU). Big corporations processing personal data as a core component of their business model – like Facebook and Google, take it very seriously of course, creating new tools and dedicated websites explaining how they comply. However, the GDPR has implications for all companies no matter their size. A lot of smaller companies don't even realise they are impacted, which is a dangerous situation to be in, because they could be subject to substantial or even crippling fines. The GDPR was adopted by the European Parliament and the Council on the 27th of April 2016 and came into force on the 25th of May 2018. Although the GDPR follows the general EU data protection principles, it created many new rights for individuals and new obligations for those who process personal data. It also defines what ‘processing’ of personal data means - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Such operations include, among others, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. To put it simply – processing includes everything that is done with personal data by an organization. The GDPR has a vast territorial scope which is another reason it is receiving so much attention. There are three scenarios: European organizations The GDPR applies to the processing of personal data in the context of the activities of any public or private organization (or even a single natural person) in the EU, regardless of whether the processing takes place in the Union or not. So if a company is based within the EU, no matter where around the globe it processes personal data – the GDPR applies to that processing and to the organization (or the person – in case an individual is the processor). Global reach The European data protection law applies to the processing of personal data of data subjects (natural persons) who are in the Union by any public or private organization (or a single natural person) not established in the Union. In this case though, the processing activities must be related to either: the offering of goods or services, irrespective of whether a payment from the individual is required; or the monitoring of their behaviour as far as their behaviour takes place within the Union. This means, for example, that if a US or Asia based company wants to conduct e-commerce in the EU (for which it needs to process some personal data such as name, shipping address, bank information, etc.), the GDPR applies to it. Furthermore, it applies also if no payment is involved at all, as with Facebook and most of Google’s services. European territories around the world The EU data protection Regulation applies also to the processing of personal data by any public or private organization (or a single natural person) not established in the Union, but in a place where Member State law applies by virtue of public international law. An example of such a place is a Member State's diplomatic mission or consular post. Consequences Another aspect, which makes the GDPR so important, is the considerable amount of administrative fines non-compliance could subject companies to. Infringements of some provisions are subjected to fines of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For some breaches of the law, the numbers jump up to EUR 20,000,000 or 4% of the turnover for the preceding year. Reputation Finally, GDPR compliance is simply good business practice, and good for reputational image. Think of Not-for-Profits managing donor data and Universities taking care of their students. If an organization demonstrates to its customers and partners to be privacy and data protection aware and responsible, they are more likely to continue the relationship and even recommend it to new potential clients. Conversely, if the organization is non-compliant, this might drive customers and partners away or even impact them negatively. For us, at Unit4, it is paramount to protect the privacy and personal data of our customers and employees. Sign up to see more like this Unit4 Communications More from Unit4 Communications An end to the pay taboo - how to personalize employee compensation How to use S2C technology in Risk Management How to use Contract Management to mitigate Cyber Security Risk Real-time availability is critical for PSO success 6 ways to create better communication in the workplace The secret to effective resource management for PSOs Cross department collaboration between CHRO, CIO, and CFO Learn how FP&A helps PSOs grow the bottom line Bridging the skills gap in 2022 and beyond Citizen pressure – how important is it in public service transformation?