GDPR – most of us have come across this acronym that stands for the General Data Protection Regulation. And those of us who have taken a closer look, have also come to realize the complexity and the extensive requirements of this European Union regulation. As GDPR is soon coming into effect, we are all going through one of the most significant – and laborious – changes in data privacy.
GDPR started as an effort to righteously protect the privacy of EU citizens against multinational corporations that had stretched the limits of European human rights in their race to expand and monetize their consumer base. But at the same time, it also created a strict regime that will affect equally the companies and organizations that are not active in consumer business and do not make money out of personal data.
GDPR lifted data protection and privacy to the agenda
This means that all companies and other entities will now need to comply with a new stricter set of privacy rules. In many respects, similar rules already exist under the old EU Data Protection Directive of 1995 and the implementing national legislation. But the GDPR brings new and more detailed obligations, and fortifies these rules by imposing fines that can go up to 4% of the annual global turnover of the violating company.
This has lifted data protection to the agenda and a topic for discussion in major boardrooms, and brought privacy on the risk screen of the legal and compliance officers. It ranks equal with competition law compliance where the penalties have been traditionally on a similar level.
Like so many other organizations worldwide, OpusCapita has been closely following the legislative process and then, the preparations aiming at the effective date of the regulation on May 25, 2018. We have for the last two years been preparing for the new regime, working in various ways: training our personnel, going through IT systems and processes that touch the personal data we control or process, revising our general terms of agreement and data processing agreements with business partners, and so forth.
Building a common GDPR compliance framework with customers
OpusCapita, like its sister organization Posti Messaging that focuses on the Business-to-Consumer sector, is engaged in operations that makes us, from the GDPR point of view, personal data processors for our customers, who in turn are the personal data controllers. In that role, the controller has the primary compliance responsibility towards the data subjects whose data they contract to the processors to process. These key roles and responsibilities are outlined in Articles 24 and 28 of the GDPR.
As our understanding of the GDPR and the interdependency of the parties involved has developed, we have come to realize that we need a common GDPR compliance framework with our customers and other business partners.The companies that operate in the same value chain where personal data is being collected, transferred, processed and stored, need to ensure that they all are able to implement an end-to-end protection that covers the whole personal data processing chain and life cycle. One example would be that the controllers should verify that file transfers to their processors are based on secure protocols (SFTP instead of FTP) and make necessary investments to implement a more secure transfer method if not.
OpusCapita supports its customers in the GDPR effort
To support you as our customer in your GDPR compliance effort, OpusCapita will launch GDPR compliance support web pages, where you can take care of your GDPR compliance preparations and records concerning OpusCapita at one go.
It will include a standard data processing agreement (DPA) and related information that you will need as a personal data controller in order to properly document the processing activities in accordance with the regulation. We have prepared the DPA on the basis of the latest experience gained when following the European market to move toward a balanced, standardized approach to the contractual regulation of personal data processing, including guidelines from the EU privacy advisory and cooperation bodies, and the standard DPA templates issued by IT industry organizations in Nordics and Germany.
For us, it is just another step on the way to make GDPR compliance privacy protection a part of our the corporate DNA and an inherent element of the services we provide.
Head of Legal & Compliance
Perttu Pessa is the Data Protection Officer at OpusCapita and responsible for leading OpusCapita’s preparations for GDPR compliance.