The General Data Protection Regulation (GDPR) applies to all companies operating in the EU and the purpose of the law is to ensure that personal data is processed in such a way that the privacy of citizens is protected. If a company or authority violates the rules of the GDPR, they risk being fined. The responsibility for personal data management lies with the companies and applies to customers’, employees’ and suppliers’ personal data.
The basic requirement is that the data subject has given his or her consent to the processing of personal data. The processing of personal data must then be carried out in accordance with the principles of the GDPR. This means, among other things, that you as a data controller:
- must be supported by the GDPR to process personal data
- may only collect personal data for specific, explicit and legitimate purposes
- not process more personal data than necessary for the purposes
- shall ensure that the personal data is accurate
- delete the personal data when they are no longer needed
- protect personal data, for example to prevent unauthorized access, loss or destruction
- be able to demonstrate your compliance with the GDPR and how you do it.
Cloud services and personal data management
When it comes to cloud computing, the issue of protecting personal data from unauthorized access is of particular interest. With US laws like the CLOUD Act, which contradict the GDPR, it becomes impossible to guarantee privacy and you risk violating the GDPR by handling personal data in foreign cloud services.
Many people are unaware that the way they handle personal data may be in breach of the law. They don’t think about the fact that the files they work with on a daily basis may contain sensitive data, but the fact is that, for example, customer records, payroll records or notes from performance reviews may be inappropriate to handle in foreign cloud services. We have several customers who have come to us with a need to be able to handle sensitive data in a regular way, where we have helped them with a GDPR-safe solution.
Axel Hermansen, Sales Manager, Storegate AB
How much can the penalty be?
Compliance with the GDPR is monitored and penalties for non-compliance are imposed by the Data Protection Authority (DPA ). The amount of the penalty varies depending on the seriousness of the infringement. The maximum fine for companies is €20 million for a serious infringement, or 4% of global turnover, whichever is higher. For a slightly less serious infringement, the maximum fine is €10 million or 2% of global turnover, whichever is higher. For public authorities, the maximum amount is 10 million SEK.
The amount also depends on the nature of the breach itself and whether one or more provisions of the GDPR have been breached. IMY looks at the circumstances of each case. The idea is that the penalties should be proportionate to the company’s turnover and act as a deterrent.
