General Data Protection Regulation (GDPR): Another perspective
The European Union's new General Data Protection Regulation (GDPR) on the Protection of Personal Data of European Citizens (was voted back in 2016 with effect from May 25, 2018) has been a major concern for the business world. While, especially in recent months, there has been increased awareness of the requirements of the Regulation (with workshops, articles, compliance seminars, etc.), part of the business community and especially the small and medium-sized enterprises remain concerned about the volume of information, or the non-compliance of its business, the cost of organizational and / or technical changes, but primarily the large fines provided by the Regulation for specific types of infringements.
Considering the reasonable concerns that are being heard, it is worthwhile to look at some positive aspects of the Regulation, beyond the much-discussed legal aspect.
From the perspective of citizens as consumers of goods and services, the Regulation is admittedly a positive development. Strengthening the framework for the processing of personal data (such as limiting abusive data collection or automated processing) and requiring compliance with security rules (e.g. against loss of or leakage of personal data) will undoubtedly reinforce the protection of rights and the freedoms of individuals.
From the perspective of the business, however, things are not so clear. Large businesses are more likely to have the appropriate organizational structures, information systems (IT), and the scope for providing sufficient financial and human resources for more decisive adaptation to the requirements of the Regulation, even if they process personal data on a large scale. For small and medium-sized enterprises, some of the requirements of the Regulation are limited, making it possible to comply with costs commensurate with the size of the business (and individual legal adjustments from national parliaments are also expected in this regard). However, small and medium-sized enterprises tend to treat the Regulation as a necessary evil.
However, alignment with the Rules of Procedure should be seen as an opportunity for a number of reasons that are often overlooked. One reason is to create a comparative advantage for those businesses that can demonstrate compliance with the Regulation to their customers and partners. While the mentality differs from country to country (in some countries, privacy issues have long been embedded in corporate practices and citizens' common knowledge), in Greece, steps towards that direction are slower, for both citizens and government departments. However, information, awareness and public awareness are quicker compared to those of the past, and especially in the recent past, there have been strong reactions to the practices of various companies about privacy issues. So how to deal with and monitor the implementation of the Regulation is not just a question of legal enforcement but also a matter of pressure from citizens and consumers to protect their rights. In other words, in addition to the legal aspect, market laws will also work, with the comparative advantage being based on the relationship of trust between businesses and consumers, but also between businesses and their partners.
An even more important parameter is related to the security of data stored in electronic form. Larger companies are once again more able to organize the security of their IT systems and deal with incidents with specialized IT staff and IT departments. This does not mean they are " invulnerable", but it certainly impedes the attempts of electronic attacks against them. This is also apparent in the global increase of online attacks targeting small and medium-sized businesses, which are more vulnerable and numerous. Such attacks are the encryption of data (crypto-viruses) which require a ransom payment for their decryption, system violations, and their tracking for the interception of financial data for financial gain and other forms of online fraud. Especially after the massive attacks with crypto-viruses or other malicious software in recent years, it has been noted that in 2018 and 2019 the online security industry will be very busy, with many companies increasing their online security budget or setting up such a budget for the first time.
Beyond the consequences of the regulation in case of a violation of information systems, there is a question of security and prevention of financial damage from such practices. So, complying with the regulation will not only result in client or partner data protection, but it is also a great opportunity to be informed about the online risks and their response, and most importantly to prevent financial damage or downtime that they may cause.
Lastly, the Regulation is now a reality that is partly driven by the rapid developments in technology, and even tries to include future developments and innovations as far as possible. The compliance effort will therefore inevitably bring new knowledge to businesses that do not have the ability to employ specialized IT staff and are technologically more "immature" even if their day-to-day operations are based on electronic and computing systems. The importance of this new knowledge and modernization is particularly crucial to maintaining competitiveness, because while everything new needs time to be digested and adopted, technological developments and the changes that accompany them are rapid.
Find more about how we can help your company comply with the regulation.
|This article intends to inform the reader and in no way substitutes the specialized consulting services.
For more information, please contact MDC Stiakakis SA (Monis Kardiotisis 49, Heraklion | +30 2810 280985)