May is over now and apart from warmth and super sunny moments it brought the new EU GDPR (General Data Protection Regulation), which is effective since Friday May 25th 2018 for each member country of the European Union.
During the past weeks everyone of us received tons of nervous emails concerning the upcoming changes. We have been asked to renew our declaration of agreement with data processors or unsubscribe for newsletters, just to give an example. What a great opportunity to clean the personal daily mail flood! But for our professional life the regulation has a large impact too!
Why stronger Rules?
If you want to know more about the rules for business and administration or about your personal rights as citizens, check the EU information website
The EU authorities state that the GDPR will work in two ways: It will strengthen citizens fundamental rights on the one hand and facilitate business by simplifying rules on the other AND it applies not only to businesses and companies, that are located or have a presence in one of the EU countries, but just as well to those who have a hold on personal data of EU residents. Personal data in this case means any information that relates to an identifiable living person – no matter if it is a copy of a personal document, information about a persons religious or cultural backround, or just an email or IP address of website visitors, a telephone number or even a photo.
Revolution or just Evolution?
Although everyone knew – or could have known – since at least two years that the GDPR was about to come and that it would replace the former Data Protection Directive from 1995, there has been a lot of fear-mongering recently concerning the new regulations and the penalties that occur, if controllers or processors of personal data do not follow the rules. But is it really a revolution or just the logical next step of how to handle and secure confidential information even better?
First of all, we all need to define our part in the system. What does processing with personal data mean and who exactly is the processor of the data, which is different from being the controller of the data or the data subject itself.
Data Security in Relocation
As a relocation agency the atlas clients are the controllers of the personal data of their employees, the data subjects. Any company, who wishes to use the services of our atlas relocation agency, controls the means and purposes of using the personal data they entrust to us. We and all of our consultants are the processors, who process the data on behalf of our clients, including the obtaining, recording, transmitting, storing and finally deleting the given data, once the service is conducted or it is for any reason requested by either the data subject or the controller.
The data subjects, in our case the relocating employees, have to be provided with access and information to their own data and how it is processed and finally they have the „right to be forgotten“, once the data is no longer needed. They also have the right of portability, which means that the personal data has to be moved from one controller to another one on demand.
In order to secure our system, we have reviewed our data policies and can assure you that we protect all personal data entrusted to us and in respect of the „right to be forgotten“ we do not store any data of the relocating employees longer than the legally required period. We aligned our security controls and educated all our consultants on how to responsibly handle personal information.