Useful information

The impact of GDPR on companies around the world

In order to create greater coherence throughout the European Union (EU), which offers more regulatory and citizen control over its own personal data, the EU introduced the General Data Protection Regulation (GDPR) on 27 April 2016 to replace the European Directive on data protection. As stated on the European Commission’s website: “The objective of this new set of rules is to give citizens control over their personal data and to simplify the regulatory environment for business.” Organizations affected by GDPR have been given two years to formulate and implement the policies, procedures and technologies needed to create and maintain compliance. Given that sanctions for non-compliance are unprecedented, organizations need to make the most of their time to be prepared. It is important to note that GDPR applies to all 28 EU Member States and has the full force of law. The regulations apply to the personal data of EU residents, regardless of where they are collected, stored or processed – either inside or outside the EU, even if the organization does not have an official presence in the EU. There are exceptions, GDPR does not apply to the processing of personal data in cases involving national security or “purely personal or domestic activities”.

Which organizations are subject to GDPR?

All companies collecting and managing personal data relating to EU residents are subject to GDPR requirements and may be subject to sanctions that may arise in the event of non-compliance. Personal data for GDPR purposes includes customer data, suppliers, service providers, and other people with whom the organization interacts, including how it exchanges data with the supply chain or commercial partner networks. It is essential to remember that non-EU organizations are also subject to GDPR and related non-compliance fines. Any organization that collects personal information about EU residents must adhere to the rules established by GDPR.

What qualifies as personal information under GDPR?

As specified in the Regulation, personal information “means any information relating to an identified or identifiable natural person (” the data subject “); an identifiable individual is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more physical, physiological-, genetic, mental, economic, cultural or social of that individual. “GDPR is intended to cover all personal information that residents typically share in the relationship with any entity.

How does the GDPR modify legal accord for collection and usage of personal data?

The strongest leverage in GDPR is related to the issue of consent. Those who wish to collect personal data will be faced with strict requirements to obtain consent to collect and process information from partners / clients. This includes the requirement for the application for consent to be fully explicit, fully informed and fully transparent about the intention of data usage. The Regulation defines the “agreement” of the data subject – which means any free, specific, informed and unambiguous indication of the person’s wishes by which, through a statement or clear affirmation, expresses the consent to the processing of personal data. The GDPR also completes the circle, requiring the consent withdrawal process to be as easy.

What are the rights of the EU citizen under GDPR?

GDPR brings more rights to EU citizens. At any time, they have the right to access information about their personal data managed by “data processors”, which simply means any company that keeps or uses the data. They also have the right to request for their data be transferred to another data processor. Perhaps most importantly, and certainly the most frequently quoted, is the right to be forgotten, that is the right to delete data on demand, as well as the right to rectification, the right to correct incorrect data. EU residents can also invoke the right to limit the use of their personal data, for example to avoid contact with digital marketing.

What responsibilities do you have in case of a security breach?

The EU expects any violation that could lead to potential harm to a person be reported to the supervisory authority. It specifies “without undue delay”, leaving the “cause” of the delay open to interpretation, and then says “where possible no later than 72 hours from its awareness,” which leaves both “the possibility of realization” and the real time of openness to interpretation. Organizations are also required to keep a log of all security breaches. The notification must include the nature of the infringement, the number of subjects involved and the categories and the approximate number of exposed data records. A description of the likely consequences, together with the measures proposed or taken to mitigate the exposure and its possible adverse effects, should also be provided.

What are the potential consequences of non-compliance?

Sanctions for non-compliance with GDPR are not limited to financial damages and fines. However, the financial consequences for non-compliance are certainly significant. Through the project, the fines for non-compliance with GDPR are meant to be “effective and discouraging”. Few entrepreneurs and business executives will assume the potential impact of such significant spending. Companies that have not previously been cited for violations may be subject to a fine of two percent (2%) of their worldwide annual income or EUR 10 million, whichever is the higher. Those who have committed previous offenses, depending on the nature of their violation, may be charged up to four percent (4%) of their annual total income or € 20 million, whichever is the higher.

How does GDPR influence legal departments and compliance with laws?

Legal departments need to thoroughly study GDPR to fully understand all their obligations, including new or modified processes, policies, roles, responsibilities, and training needs. This is not just a matter of law and compliance. Rather, it will take a concerted effort of all the entities that are part of an organization and who deal with personal data. Ultimately, all responsibility will become a legal concern, but most departments will be affected and will have responsibility for compliance. Sanctions, as discussed earlier, are high. You are dealing with a regulation that gives people the right to be forgotten. If you make sure that you have fulfilled this right, but still you have that individual in mind, there will be many enforcement agents who want to catch you. All organizations must carefully review each policy, procedure or process that involves personal data to ensure that all privacy requirements are met or exceeded. The best advice for the in-house lawyer is to ensure the involvement of representatives from all departments and areas involved in the compliance effort. This will require rigorous planning on the part of many and you need to make sure that all the other departments we are discussing here join you in allocating the right investments, resources, and experts to the GDPR compliance program.

How does GDPR influence marketing activity?

Thinking in the longer term, marketers should see GDPR as good news, a move towards reducing the overwhelming noise that consumers can bear and an opportunity to deliver well-targeted messages that will be heard. Brands will have to actively collect consent from their customers and prospects to continue promoting and communicating to them. This consent must be “freely given, specific, informed and unambiguous” to comply with the GDPR. Marketing agencies and people will need to find and develop appropriate ways to comply with GDPR, continuing to provide customized products, services and experiences that consumers demand. The classic practice of “collecting as much customer data as possible and then seeing what is being done with them” will become a high-risk strategy, as minimizing data becomes the new paradigm. GDPR tries to reduce or eliminate much of the opt-in, opt-out, and other sneaky consent strategies that marketers use to simply increase the number of contacts they get. Instead, marketers are encouraged to use “opt-in”, “opt-out” correctly to result in the transmission of messages to people with a greater chance of receiving them with interest. Properly implemented, GDPR will reduce the number of erroneous sales leads, reduce robot automated frauds, and ultimately eliminate the “hit or miss” approach of many of those who used it in targeting. The goal is to increase efficiency in marketing communication by using a qualified target group.

How does GDPR influence the storage and management of information?

As with other regulations, GDPR has obligations related to storage and management of information so that organizations can effectively report and demonstrate compliance practices. Information capture, storage and management teams will need to establish and implement a clear record keeping policy for personal information, if they do not exist, or update existing policy to reflect GDPR requirements. Updating classification schemes, data storage methods and record keeping programs will probably be necessary to ensure that data transferability, removal or correction is not only possible but also effective. GDPR also provides for records such as: data protection impact assessments, consent records, data processing records, and possible data breaches. Teams dealing with recording, storing and managing information will need to revise, update, and create the policies required by the GDPR and will probably need to increase their vigilance to ensure continued compliance.

How does GDPR modify information technology (IT)?

Originally, GDPR was almost exclusively related to information technology (IT) functions. These regulate the data flow across the organization from the time of collection to the deletion of a customer record and every intermediate processing of that data. According to GDPR, effective processes and systems must be implemented to facilitate correct and accurate execution of portability, deletion, or correction of data whenever necessary. The principles of data protection, both design and implicit, are now mandatory points of discussion with IT partners and vendors when assessing new technology acquisitions. IT decision makers need to look for cloud providers to provide clear and specific assurance on how to meet GDPR requirements, such as their ability to respond to requests for deletion, rectification and portability of data, as well as to specify where they are located in data centers and if personal data is transferred outside the regional boundaries. A significant challenge facing IT organizations everywhere is the need to document all data processing activities and easily compile them when needed. Finally, IT and IT security will play a key role in ensuring that notification procedures for data breaches exist and are followed.

How does GDPR influence human resources?

One of the provisions of the GDPR provides for the right of EU Member States to adopt more specific laws on the operation of employee data. This contributes to a much more complex GDPR administration of employee information than that of customer data management. In the employer / employee relationship, the employer can be seen as having a superior position, therefore, technically speaking, the employee’s consent is not “freely given”. Employers may not have to collect employee consent for GDPR (as well as for clients) because employers have the option to rely on “legitimate business interest” or as specified in the “other legal laws” such as human resources operations. However, consent would be necessary if processing goes beyond legitimate human resources operations. GDPR requires free and open consent for customer data, but the leverage of an employee wishing to retain the right to an option to consent to the use of his or her personal data complicates the freedom of his or her desires. In addition, the confidential nature of each employee’s data will make it considerably more difficult to access his own data. Things like criminal controls, drug examinations, and other investigation data will present other new challenges as well as the transferability provisions that could allow employees to request the transfer of their collected data to a new employer after termination of the employment contract. Human resources organizations will need to seek a legal adviser to fully understand how to operationalize compliance with GDPR in terms of employee and candidate data management.

ECM through OpenText

Enterprise Information Management (EMS) – Enterprise Information Management (EIM) is the key to an effective and accurate GDPR compliance and protection strategy. As a local OpenText partner, Digital Archiving Solutions provides advice on how to comply with the new rules, finding solutions and services that can help protect your personal information, confidentiality, and gain more control over your information.

OpenText, The Information Company ™, enables organizations to gain insight into information management solutions, locally or in the cloud. For more information about OpenText, visit www.opentext.com

New Archiving Rules

GDPR proposes 3 additional archiving principles:

  1. A pre-sorting and additional selection of the archive to be stored
  2. Increased control of document retention time
  3. Secure storage and transfer of information guaranteed by technical and organizational measures.

DAS team has implemented and continues to make permanent changes to how it operates – not only to comply with national archival laws or European data protection regulations, but to be a successful model and an example of good practice in the archiving sector in Romania.

Thus, document flows and interaction with DAS Customers have undergone a process of streamlining, protecting and securing.

Specifically, here’s how we are organized:

  1. Client is the Creator and Owner of the Archive.

We advise on sorting documents that are not essential for storage – so as to minimize as much as possible the storage of personal data.

The client decides what documents are to be achieved, according to legal norms and legitim needs.

Considering that – legally the Customer is the Archive Holder and decides on the documents for storage, DAS has committed to advising Clients on the selection of documents that will need to be archived in order to avoid as much as possible the retention of documents which contain personal data and are not necessarily required for archiving.

In the context of providing DAS archiving consultancy services – DAS specialists are actively involved in setting up and sorting documents to be sent for archiving.

  1. ARHIVO has an integrated life cycle detection system for indexed documents in the DAS repository.

DAS Specialists advise the Customer for sorting and justification – if applicable – of keeping the documents beyond the legal deadline – Legitimate Internal Justifications of the Customer

Document storage period is seen as an important factor in ensuring the compliance of GDPR and the respect of individuals’ privacy rights to the confidentiality of private information.

ARHIVO application has integrated a Warning System for Clients regarding the expiration date of legal document. Additionally, DAS specialists advise clients to be responsibility for justifying legal or legitimate retention period of documents. The client, who is the legal owner of the archive, must be able to demonstrate the need to store the documents concerned in legal or legitimate terms (in this case, the company’s internal need for archiving and archiving of those documents must be clearly explained)

  1. Technical specifications
  • ARHIVO and OpenText are GDPR compliance
  • Secure connection with the Customer
  • Technical control of access to information – individualized user accounts through levels of access, access to data storage centers
  • technical certifications (ISO27001)

Organizing

  • Archival funds inventoried and indexed only by specially elected and strictly controlled personnel
  • Contracts of confidentiality with the staff
  • Control of physical access to the archive through CCTV and restricted access by using magnetic cards
  • Secure terminals and video surveillance points
  • The efficiency and professionalism of staff – which is accredited and specialized in managing archives
  • GDPR compliant document flow procedures (any action involving interaction with documents and information from Customers)

The “privacy by default” principle has been implemented by DAS specialists through organizational measures designed to improve and ensure archival activity:

  • Implement and improve secure connections with the Customer
  • indexing and inventory of documents coming from Client ONLY by carefully selected staff and under the auspices of strict control (confidentiality contracts, secured and monitored rooms, restricted access in work areas, etc.)
  • Better access to information management through the creation of document flow procedures in the DAS
  • From a technical point of view, a guarantee of the DAS capability is the ISO 27001 certification, which certifies the Information Security Management System

Liquidated companies

Digital Archiving Solutions is a document manager for liquidated businesses and provides issuance of income certificates based on requests from former employees of those companies. List of liquidated companies for which we can issue income certificates:

  • FECNE
  • Unicom Osis
  • Woodland
  • Fairwind Securities
  • SSIF Dorinvest

To request an income certificate please e-mail us the following information to office@arhivam.ro :

  • Name and usrname
  •  The name of the company where you were hired
  • Position
  • Period of employment
  •  Contact phone number
  •  A scanned copy of the national ID card
  •  Scanned copy of the workbook (if you have)

If you wish to send your request by post, fill in the required information above on an A4-size sheet, written or typed, add the copies of the documents and mail them to: Bucuresti-Pitesti Highway, Km 13.5, A1 Business Park, Aleea Martina, Hall M2, Dragomiresti Deal, County ILFOV, 077096 For the attention of: Department of ARCHIVES – Issue of Certificates  For further details, please contact us by phone: 0722539248 – Nicoleta Ghebaru