On 25 May 2018, the data privacy landscape will change dramatically. On that day, the European Union (EU) authorities will begin enforcing the much-publicized General Data Protection Regulation (GDPR). The GDPR expands the rights of individuals and increases the obligations on businesses that collect personal data about individuals in the EU wherever the business is located.
We hope you find our Guide to the GDPR helpful.
What is the GDPR?
It’s a total re-write of data protection law in the EU in response to the way data is shared and handled in this “digital economy”, and supports the EU’s digital single market strategy. Its goal is to modernize and simplify the current patchwork of laws across the EU, replacing them with a single law (known as a regulation). At the forefront of the changes is the strengthening of a citizens’ rights to control how their data is used.
What does it regulate?
The GDPR aims to regulate how companies “process” personal data, that is, how companies use, store, collect and transfer the data when providing products and/or services to an individual and/or monitoring their behaviour. Any organization, regardless of where it is based, that processes personal data of an individual “in the EU” is within the scope of the law, this is therefore not necessarily confined to just EU citizens.
What is personal data?
Reflecting technological advancements, the concept of “personal data” has been significantly amended under the GDPR. Whilst it still covers any information relating to an identified or identifiable individual (also called a “data subject”), the definition now includes things such as online identifiers, genetic data and location data etc.
What does the GDPR change?
The GDPR provides enhanced rights to individuals in the EU and significantly increases the obligations on organizations. Some of the key changes are:
Rights: The GDPR provides expanded rights for individuals in the EU such as deletion, restriction, and portability of personal data.
Accountability: The GDPR requires organizations to implement appropriate policies, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with suppliers.
Profiling and monitoring (new): The GDPR places additional obligations on organizations engaged in profiling or monitoring behaviour of individuals in the EU.
Security: The GDPR requires organizations to implement technical and organizational measures to secure personal data considering both the cost and state of the art, including measures such as pseuydonimization and anonymization.
Data breach notification: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects.
Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
One stop shop: The GDPR introduces the concept of a lead supervisory authority to allow organizations operating in many EU countries to work with one data protection authority rather than many for matter such as cross-border data protection issues and enforcement.
Does EU personal data have to stay in the EU in that case?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. FinancialForce’s data processing addendum, which references our Privacy Shield certification and the European Commission’s model clauses, will continue to help our customers transfer EU personal data outside of the European Economic Area (EEA).
Where do I go to find out more?
For more information about the GDPR you can visit the official EU GDPR website.
What FinancialForce is Doing
FinancialForce welcomes the GDPR as an important step forward in harmonizing data protection law across the EU. We are approaching this as an opportunity to deepen our commitment to data protection. Compliance with the GDPR requires a partnership between FinancialForce, our suppliers in providing services to support our business, and our customers in their use of our services.
At FinancialForce we are committed to help our customers comply with the forthcoming GDPR. We have looked at the requirements closely and we are working on the updates needed in our products, contracts, documentation and processes to support both our customers and our own compliance with the GDPR.
FinancialForce is the leading cloud ERP on the Salesforce platform and so we are delighted that Salesforce has made clear its GDPR commitment. Trust is the number one value for both FinancialForce and Salesforce and nothing is more important to both companies that the protection of our customers’ data.
FinancialForce’s Commitment to Data Protection
At FinancialForce nothing is more important than the success of our customers and the protection of our customers’ data. FinancialForce’s Security Overview describes the architecture and infrastructure of our services, the security- and privacy-related audits and certifications our services have received and which we inherit from Salesforce, and applicable administrative, technical, and physical controls material to our services.
To learn more about FinancialForces’ commitment to privacy of personal data please see our Privacy Statement.