GDPR, GEP and You
In January 2012, the European Commission announced its plan to reform the data protection process across the EU so as to make Europe “fit for the digital age.” After a four-year effort, agreement was reached on how to make that intention a reality, via the GDPR.
On May 25, 2018, the GDPR will become enforceable, replacing the current EU Data Protection Directive. The GDPR differs from the Data Protection Directive in that it will have direct effect in all EU member states, which will not need to create any local legislation; the GDPR will override any country-specific privacy laws that were already in place.
The GDPR applies to any organization or corporate entity operating within the EU, as well as those outside the EU that offer goods or services to businesses or customers in the EU. This means that every organization, regardless of location, that works with the personal data of EU citizens (as defined by the GDPR) will be under obligation to comply with GDPR requirements.
Under the GDPR framework, GEP’s customers are designated as “controllers” of the personal data contained within the SMART by GEP platform, and GEP is designated as a “processor.” Therefore, GEP and its customers are both required to comply with certain obligations under this new data protection directive. One set of obligations is specific to the controller-processor relationship; the other set concerns the controller’s responsibilities for handling personal data — in this case, mainly from users of SMART by GEP, such as employees and business associates.
GEP expects that its customers and SMART by GEP users will be mindful of the legal requirements that are going into effect under the GDPR. In particular, we ask our clients to make certain that they have obtained consents and permissions that GEP must have in order to function as a processor of business-related personal data.
As a business partner with our clients, GEP has made the commitment to support their compliance-related efforts. These include activities related to the GDPR criteria in Chapter III (Rights of the Data Subject), especially the rights of access and rectification (Articles 15 & 16), right to erasure or “right to be forgotten” (Article 17), right to data portability (Article 20), and right to not be subject to automated decision-making, including profiling (Article 22).