«At UMB, we always deploy state of the art technological innovations in cooperation with our strategic partners for the benefit of our clients.»

Gérard Lüchinger, CTO - Teamleader Technology Sales Consulting

Data Protection: European Rules for Swiss Companies

09/11/2017 - 08:45

The new European Data Protection Regulation has been approved and will come into force on May 25, 2018. The new rules also affect many Swiss companies doing business in the EU. The problem is that in many companies the issue is not dealt with.

(From Gérard Lüchinger, CTO, UMB. Picture: Flickr.com)

The new EU General Data Protection Regulation (GDPR)[1] will affect businesses of all sizes and industries worldwide – if they trade within the EU, exchange personal data with European companies, or process data of EU citizens. For consumers the regulation is supposed to bring improved privacy protection and greater control of their own data. For affected businesses it represents complex requirements in connection with many new information and documentation requirements. Companies have no choice; the EU can impose draconian fines of millions of euros in case of non-compliance. No wonder some critics detect more than a hint of anti-business tendencies in the new law.[2]

Fines are a possible existential threat.

So what exactly is new? The financial penalties already mentioned, for example. They can amount to 20 million euros or four percent of the global revenue of a company and for all intent and purposes could pose an existential threat to a business. Other features:

  • Personal data may only be processed with express consent. Such data must be rectified or deleted upon request (Right to be Forgotten).
  • Data breaches must be reported within defined time periods to the authorities as well as the affected clients.
  • There is a right to data portability.
  • Biometric and genetic data now fall into the category of sensitive personal data.
  • All affected businesses must take appropriate technical and organizational provisions to protect personal data and keep such measures up to date at all times.
  • There is an obligation to conduct data protection impact assessments. Such an assessment must be carried out if the processing of data can pose a high risk to the privacy of the client.

Only three percent of businesses have a plan for the GDPR.

It will be a while until the new regulations come into force. Nevertheless, the results of a global survey, published four months ago, are surprising:[3] More than 80 percent of respondents stated that they know few or no details of the GDPR; less than 30 percent of businesses felt they were prepared for the challenge, while almost 70 percent didn’t fulfill the requirements or didn’t know whether they met them. Only three percent had a plan laying out compliance; almost all businesses (97 percent) had no real plan for the date of entry into force. The results of the study also demonstrated that there was not enough awareness in the companies surveyed regarding necessary changes and the severity of penalties in case of non-compliance.  

How will the GDPR play out in the Cloud?

There is uncertainty in many places regarding the impact of the new regulations on cloud usage. One thing is clear: Whoever wants to store and process personal data in the cloud must be prepared to protect such data and document their flow. European cloud providers take pains to dispel existing uncertainties – among other things, through the establishment of a data protection certificate attesting compliance with the new European regulations.[4] Software companies such as Commvault, for example, offer solution platforms adhering to the new European law and integrating the new requirements.

There is however still more than enough to do for many individual companies. To consider, among other things, are the hiring of a Data Protection Officer, the improved administration of access to data, documentation of processes as well as data storage.

UMB will assist you with the technical implementation.

Comprehensive data protection is not easy to get, and the implementation of the new regulations will put a strain on many businesses‘ IT infrastructure.  That’s why it is important to address and tackle the issue now. Currently, UMB deals with the implementation of the GDPR for internal processes. UMB can assist you – for example as a Commvault Platinum Partner – with the technical implementation of the new rules. Contact us now.

 

[2] Liechtensteiner Vaterland, 21.4.2017