The General Data Protection Regulation: your data in good hands
The new General Data Protection Regulation (GDPR), passed to ensure the further enhanced security of personal data, took effect on May 25, 2018. At Sappi, your e-privacy in digital communications had top priority even before the new legislation was adopted. We continuously optimize our data protection processes and, at www.sappi.com/privacy-policy, provide you with an overview of how we process and protect your data. We greet the new GDPR as confirmation that we were right in focusing on consistent data protection as a guiding principle in our cooperation with customers from the outset. In the following, we summarize a number of important points concerning the GDPR that have particular relevance to you as a business owner.
The GDPR applies to small businesses as well
Whether you operate a one-person shop, a graphic design firm or a major printing house, as a business owner in the printing, packaging and communications sector, you are obliged to adhere to the GDPR. Indeed, the law imposes serious fines for noncompliance with the new regulations. The GDPR comes into play the moment you begin working with people's personal data. The processing of the data of customers or prospective customers is prohibited – except as required for the fulfillment of a contract or other legitimate interests. Any other processing (e.g., for marketing purposes) requires the consent of the person concerned. This consent must be obtained and documented in advance. Previously granted consent remains valid as long as it is consistent with the GDPR.
Complying with regulations is no longer enough
The GDPR presents businesses with new requirements which must be actively fulfilled. These include the maintenance of a procedure log in which data processing procedures, processing purposes and deletion dates are registered. The procedure log can take the form of, for example, an Excel file and must be submitted to the competent supervisory authority upon request. As long as data processing is carried out on only an occasional basis, businesses with fewer than 250 employees are exempt from the requirement to keep a procedure log.
Information requests must be answered promptly
An additional new provision is that, effective immediately, your customers enjoy a general right of objection to the processing of their data. While your company may continue to store data necessary for the fulfillment of a contract, if the data in question solely serves marketing purposes, it must be deleted on demand. Furthermore, information requests from your customers with regard to processed data must be answered immediately.
A data privacy statement is compulsory even in consulting
If you operate a website, you already know the legally stipulated data privacy statement. Going forward, this declaration is also required in cases where the data is collected offline – for example, during a consulting session.
A data protection officer is often required
The GDPR requires that a data protection officer be named in all businesses which carry out processing procedures that necessitate regular systematic monitoring of employees or that concern especially sensitive data (e.g., health data). Even prior to the GDPR, German law required a data protection officer in companies in which more than ten employees were involved in the processing of personal data.
Data breaches must be reported immediately
Under the GDPR, any privacy breach must be reported to the competent supervisory authority within 72 hours. This was previously required only in exceptional cases. If there is a high risk of data loss, the persons concerned must also be informed. To minimize the risk of a data breach, the GDPR additionally prescribes risk-appropriate data security for your IT systems.