Questions and answers on GDPR implementation
We have complied a number of important facts on the GDPR for you here, and are revealing why you'll soon need our document shredders even more than you did in the past. And if questions remain unanswered? Then please contact us! Our specially trained customer service agents will be happy to help you at any time.
Questions & Answers on GDPR Implementation
974,567,257 million – this is our estimate of the number of questions that European companies have already asked due to the EU's new General Data Protection Regulation. After all, the list of amendments is long, and implementation will, at times, be complex. But who knows – there might soon be a few questions less!
Terms used in relation to the GDPR
What does GDPR stand for?
The General Data Protection Regulation (GDPR) is a new regulation issued by the European Union that – to put it concisely – standardises the regulations governing the processing of personal data by private companies and public agencies EU-wide.
It is a fundamental component of the comprehensive reform of data protection in the EU, which was presented by the European Commission in January 2012, and is comprised of 99 articles in eleven chapters.
What are personal data?
Personal data is, broadly speaking, all information that directly or indirectly allows a person to be identified. A fundamental potential for identification does, from a legal perspective, suffice. Personal data are, accordingly, therefore names, addresses, email addresses, phone numbers, birthdays, account data, license plate numbers, location data, health data, IP addresses, online ID codes, and cookies – to name a few examples.
Scope of validity of the GDPR
When does the GDPR come into force?
The GDPR was actually adopted on 24 May 2016. A transitional period was defined for its implementation, valid until 25 May 2018. This is the effective date on which every company must have completed all preparations for the GDPR.
For whom does the GDPR apply?
To start with, the GDPR applies for all companies and public authorities that are based in the EU, and process personal data regardless of type – meaning they collect, save and/or use personal data. Service providers who perform data processing for other companies are also covered by the regulations. In addition, companies from outside Europe need to comply with the regulations when they, for example, have a branch office in the EU, or process the personal data of citizens of the EU.
Drafting of, and background to, the GDPR
What is the background to the GDPR, and what does it aim to achieve?
The GDPR should, for example, strengthen the rights of citizens of the EU in regard to data protection and introduce a new, uniform standard to the previously valid data protection laws across the entire EU.
Furthermore, digitalisation also plays a large role. The new regulation aims to adapt the previous data protection regulations to the “new era” and restore citizens' confidence in the ability to control the data they have made available online.
Which regulations does the GDPR replace?
The GDPR is replacing “Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, which was passed in 1995, as well as other, additional requirements valid in the individual member countries.
In contrast to 95/46/EC, the GDPR is not a Directive, but rather a Regulation. It is therefore considered to be binding and applicable in all EU member states, and does not first have to be transposed into national law. Of course, all other regulations that apply in specific countries do, however, have to be adapted to the new regulation.
Contents and regulations of the GDPR
What won't be changing?
New regulations are not being introduced to many areas of data protection by the GDPR, as many provisions from the EU Data Protection Directive 95/46/EC have been adopted. The situation in the individual member nations of the EU does, however, vary enormously – the higher the data protection level to date, the fewer specific changes will be required due to the GDPR.
Which areas are subject to new regulations?
The GDPR encompasses a number of key innovations. Along with considerably higher potential sanctions and the extended reach, it includes, for example, the right to be forgotten. This also covers the right to have personal data deleted or blocked when there is no longer any authorisation to use the data – for example when the purpose of data processing no long applies, or when the person concerned withdraws their consent.
The right to data portability is also new. This grants people the option of taking their own specific data “along with them” e.g. to another service provider. Furthermore, the GDPR also includes more specific regulations on when companies have to nominate a data protection officer, and what they don't have to do. More details about the reforms are available to read in a concise form here.
Which benefits does the GDPR promise for citizens?
The GDPR will create greater transparency, as everyone has the right to find out which of their data were saved and collected when, where and by whom and for which purpose. At the same time, simplified access to these data is being introduced, which will end up making any deletion requested faster and less complicated. In a nutshell: more control!
Which benefits does the GDPR promise for companies?
One of the fundamental objectives of the GDPR is to eliminate the “obstacles to the free movement of personal data” within the EU by means of uniform regulations and the level playing field this creates. It can therefore be assumed that numerous operations will, in part, be considerably simplified. The European Commission estimates the economic benefits of a standardised data protection law in the EU to total €2.3 billion (also take a look here).
Where can I read the complete GDPR?
The official, and complete, legal text can be found here at the official Internet service maintained by the European Union. It is available in all of the EU's 24 official languages.
Where can I obtain additional information?
For even more details, we can recommend the highly descriptive and informative official website of the European Commission on GDPR.
Consequences of the GDPR for companies
What does the GDPR specifically involve for companies?
In summary, the GDPR requires you to be able to state and guarantee the purpose, duration, storage and deletion of personal data without omission in order to be able to satisfy provisions such as the right to data portability or the right to be forgotten without any problems. Or to put it more simply: you should always have a complete overview of which personal data you are collecting or processing for which purpose, without exception – and this everywhere. Please find more exact details of this in the official legal texts.
What do I have to do in the event of violation?
Should the obligation to protect personal data be violated, then the companies responsible must inform the persons affected immediately. Furthermore, the data protection supervisory authority responsible must be informed within a period of 72 hours.
What are the potential penalties?
The GDPR includes a much more effective range of sanctions than previously the case. Violations of data protection obligations can therefore be penalised much more harshly and to a greater extent from 25 May 2018 on. The highest penalty for companies and organisations in the event of non-compliance with the General Data Protection Regulation can total up to €20 million or 4% of annual global revenue – depending on which figure is higher.
Implementation of the GDPR
Why shouldn't you just concentrate on data processed electronically?
The reason is quite simple – because a large share of personal data are still found on paper. Estimates are based on assumptions that up to 70% of this information is not found online, but rather on bank account statements, receipts, invoices, tax documents, personalised advertising materials and other documents. And so they are directly in front of you on your desk, in your filing cabinet or – in the worst case – unshredded in your waste paper bin.
Where do sources of danger lurk at your daily work?
The risk of having documents with personal data fall into the wrong hands is large. Above all, this includes typical examples such as papers forgotten in the copier or confidential documents that are tossed into the rubbish bin without any thought. But this also applies to hard drives that have not been correctly overwritten, or when outsourcing document shredding to disposal companies – and therefore outsourcing control – can soon become quite dangerous situations.
Why are document shredders indispensable for implementing the GDPR?
It's quite obvious: because only they can guarantee that documents with personal data are shredded correctly and in compliance with the GDPR. However, please also note that only document shredders with security level P4 or higher actually satisfy the requirements of the GDPR – more detailed information can be found in our Document shredder purchasing guide.
How do I find the right document shredder?
This is also perfectly obvious – we have them. There are three protection classes and seven security levels. You can read up on all the background information in our Document shredder purchasing guide, and when you are on a specific search for the right model, our document shredder product finder will help you. We also have industrial document shredders for extra-large requirements in an industrial environment in our product range as well.
What should I do when I still have questions?
The easiest thing of all: contact us. Our customer service agents have received specific training in GDPR implementation, and will be happy to give you extensive advice on which document shredder is best suited for your purposes. Simply call us at 1 800 677 300, send an email to us at firstname.lastname@example.org, or use our contact form.