In May 2018, the new and standardized General Data Protection Regulation (GDPR) will take effect, and companies need to start preparing for it. We will explain what is changing.
The new regulation will replace the current EU Data Protection Directive (Directive 95/46/EC). By then, European legislators must adapt or revise certain parts of their own national laws. The new GDPR will fundamentally uphold the tried and tested principles of data protection legislation that recognize basic rights, and maintain the structure of the applicable data protection law. For more information, visit the website of the European Commission.
Non-European companies also bound by lex loci solutionis
However, the new General Data Protection Regulation also includes various elements that intend to modernize data protection. The concept known as lex loci solutionis is of particular importance here. It stipulates that all non-European companies must comply with European data protection legislation if they offer services in the European market. Other newly added concepts include the principles of privacy by design and privacy by default, data protection impact analysis, disclosure to affected parties and supervisory authorities in cases of data breaches (« obligation to report »), and a provision to limit profiling.
Violations can lead to more severe penalties
Companies who violate the future EU-wide data protection regulation could face substantial fines of up to four percent of annual sales. That is why lawyers are advising companies to start taking a much closer look at their assets and how they are protected. “In light of the severe penalties of up to four percent of yearly group sales, companies will have to take the next two years to reassess how they handle personal data for when the new regulation takes effect,” says Reemt Matthiesen of the corporate law firm CMS Hasche Sigle. However, the lawyer also sees gratifying aspects about the reform. « On a positive note, the regulation will now recognize the legitimate interest in group-internal data exchange for both customer and employee data, making many of today’s agreements on contract data processing between affiliated companies obsolete. »
Retarus prioritizes data protection and compliance
The Retarus Global Delivery Network complies with the most stringent data protection and data security requirements (for example, demonstrable compliance with the German Federal Data Protection Act, EU Directive 95/46/EC, ISAE 3402, HIPAA and PCI-DSS). Rather than obtaining all possible certifications, Retarus opts for a rigorous internal control system, which is continuously audited by a reputable auditing company. We are also happy to grant your auditors personal access to our data centers to review the relevant processes as needed.