Skip to main content
Home
different coloured post-it notes and one says "GDPR?"

Why is the GDPR So Important?

from   | 4 min read

Originally posted 23 February 2018

For us, at Unit4, it is paramount to protect the privacy and personal data of our customers and employees. We are aware of the importance of the GDPR and are ready for May 25th. Are you?

The phrase “data is the oil of the 21st century” could not be more true than it is today. For a lot of businesses (personal) data processing is a significant activity. Nearly every company is processing some personal data on a regular basis.

We have heard and talked a lot about the new General Data Protection Regulation over the past few years. Commonly referred to as the GDPR, this is the latest privacy and data protection legislation of the European Union (EU). Big corporations processing personal data as a core component of their business model – like Facebook and Google, take it very seriously of course, creating new tools and dedicated websites explaining how they comply. However, the GDPR has implications for all companies no matter their size. A lot of smaller companies don't even realise they are impacted, which is a dangerous situation to be in, because they could be subject to substantial or even crippling fines.

The GDPR was adopted by the European Parliament and the Council on the 27th of April 2016 and came into force on the 25th of May 2018. 

Although the GDPR follows the general EU data protection principles, it created many new rights for individuals and new obligations for those who process personal data. It also defines what ‘processing’ of personal data means - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Such operations include, among others, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. To put it simply – processing includes everything that is done with personal data by an organization.

The GDPR has a vast territorial scope which is another reason it is receiving so much attention. There are three scenarios:

European organizations

The GDPR applies to the processing of personal data in the context of the activities of any public or private organization (or even a single natural person) in the EU, regardless of whether the processing takes place in the Union or not. So if a company is based within the EU, no matter where around the globe it processes personal data – the GDPR applies to that processing and to the organization (or the person – in case an individual is the processor).

Global reach

The European data protection law applies to the processing of personal data of data subjects (natural persons) who are in the Union by any public or private organization (or a single natural person) not established in the Union. In this case though, the processing activities must be related to either:

  • the offering of goods or services, irrespective of whether a payment from the individual is required; or

  • the monitoring of their behaviour as far as their behaviour takes place within the Union.

This means, for example, that if a US or Asia based company wants to conduct e-commerce in the EU (for which it needs to process some personal data such as name, shipping address, bank information, etc.), the GDPR applies to it. Furthermore, it applies also if no payment is involved at all, as with Facebook and most of Google’s services.

European territories around the world

The EU data protection Regulation applies also to the processing of personal data by any public or private organization (or a single natural person) not established in the Union, but in a place where Member State law applies by virtue of public international law. An example of such a place is a Member State's diplomatic mission or consular post.

Consequences

Another aspect, which makes the GDPR so important, is the considerable amount of administrative fines non-compliance could subject companies to. Infringements of some provisions are subjected to fines of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For some breaches of the law, the numbers jump up to EUR 20,000,000 or 4% of the turnover for the preceding year.

Reputation

Finally, GDPR compliance is simply good business practice, and good for reputational image. Think of Not-for-Profits managing donor data and Universities taking care of their students. If an organization demonstrates to its customers and partners to be privacy and data protection aware and responsible, they are more likely to continue the relationship and even recommend it to new potential clients. Conversely, if the organization is non-compliant, this might drive customers and partners away or even impact them negatively.

For us, at Unit4, it is paramount to protect the privacy and personal data of our customers and employees.

Sign up to see more like this