GDPR: Are You Ready for Compliance?

GDPR personal data protection European Union

Even if Kohezion’s headquarters are established in Canada, we support clients all over the world, including the European Union (EU). Kohezion is aware of the upcoming changes to personal data protection regulations and is now offering encrypted servers located in the EU to support its clients’ efforts for compliance. To help our clients comply with the upcoming changes to regulations, this article is explaining what is to be expected in the near future, and how Kohezion can help.

What Is Coming Up

The European Parliament, the Council of the European Union and the European Commission agreed on a new reinforced and consolidated regulation for data protection of all individuals in the EU, the General Data Protection Regulation (GDPR). Effective on May 25, 2018, it will replace the current Data Protection Directive. Its goal is to empower the residents of the EU over their personal data and to streamline the regulatory environment. No matter if the data is held in the European Union, in the cloud or in another country, the GDPR applies. It will now provide a single set of rules for all EU member states.

Important Concepts

To help you better understand its content and its scope, here are a few definitions and examples of the concepts included in the GDPR.

First, it is important to understand who is concerned by this regulation. Data controllers are the businesses or organizations collecting personal data from EU residents. Data processors are the organizations processing the data in the interest of data controllers. For example, Kohezion is a data processor for its clients. Data subjects are the people on which data controllers are collecting personal data. Personal data is any private, professional, or public information identifying the data subject. Anything from a simple name or an email address to data as sensitive as medical information is considered personal data to be protected. The regulation applies if any of the data controller, processor or subject are based in the EU.

The responsibility and liability for compliance with the GDPR belong to the data controller. Appropriate technical and organizational measures must be set in place to protect the public. Article 25 of the GDPR clearly describes the concepts of data protection by design and by default.

Data protection by design:

“(…) the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Art. 25 GDPR)

Data protection by default:

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. (…) ” (Art. 25 GDPR)

The notion of pseudonymisation refers to the process transforming specific data into nonspecific data for its protection. The best approach to pseudonymise data is encryption. Encrypted data is indecipherable unless you have access to the proper decryption key.

One last concept we find important to define is the right to erasure. The data subject has the right to require the data controller to erase his or her personal data without undue delay. The right to erasure can be carried out under specific circumstances: the withdraw of consent from the data subject, the termination of the relation between the data subject and controller, or the unlawful processing of personal data by the data processor.

ther important concepts related to the GDPR you should be aware of including consent, data breaches, data protection officers, and data portability. To learn more about the specifics of the regulation, we suggest you visit the Information Commissioner’s Office (ICO)‘s website and the actual final text of the regulation.

Why You Can’t Ignore It

Most of us dread change, and it’s tempting to just play ostrich and put our heads under the sand. It would not be advisable to do so in this case. No matter if we are prepared or not, the GDPR will apply May 25, 2018. Ignoring it could be costly. A first and non-intentional non-compliance will only cost your organization a written warning but heavy fines are also likely: “(…) up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” (Art. 83 GDPR) Such administrative fines could lead to bankruptcy for many businesses. Moreover, completing the changes required by this new regulation represent significant implications in terms of budget, IT, personnel, governance, and communications. A smooth and cost effective transition must be planned ahead and implemented broadly across the organization before the regulation comes into play.

Kohezion Can Help

Kohezion is an online database software enabling a high level of data management through the creation of personalized no-code applications. As an established data processor, Kohezion is a great asset to assist you in your journey to compliance with the GDPR. Even if Canada is recognized as an adequate country, transferring data outside of the EU renders audits more complicated. This is why Kohezion now offers encrypted servers located in the EU, allowing its customer to respect the “data protection by design” requirements. Simply contact us to proceed with the transfer of your current account or to create a new account hosted on these encrypted EU hosted servers.

Kohezion offers the ability to data controllers to manage personal data efficiently and safely. Creating your own database applications to secure your data is quick, easy, and doesn’t require your team to learn code. Transitioning from your current data management system, whether it is Excel spreadsheets, ACT, or even pen and paper, is a reasonable undertaking. Once your account is created, benefit from Kohezion’s many features to confirm your business growth.

Kohezion is also the perfect tool to manage your compliance with the GDPR. Use it to keep track of what personal data you hold, how you acquired it, and whom you shared it with. To respect the data portability clause, Kohezion allows you to provide the data subjects a readable copy of their data through our report and export features. As for the right to erasure, Kohezion helps you locate and delete the data efficiently. Kohezion also allows data protection officers to create their own applications to handle record processing activities.

The Kohezion team understands your business needs to deal with troublesome changes during the transition to the GDPR. Kohezion might just be the powerful tool you need to assist you during this journey. When you are ready to take a step toward compliance, contact us to learn more about how Kohezion can help you abide by the upcoming GDPR.