No, unfortunately: see https://gdpr-info.eu/art-6-gdpr/ on the rules for processing personal data
and Art. 17 GDPR – Right to erasure (‘right to be forgotten’) - General Data Protection Regulation (GDPR) for the right to be forgotten.
There is most definitely more needed that make intensions clear.
I can guarantee we are not enjoying this exercise.
It’s very difficult and expensive (in work hours studying this and implementing changes to our processes) for us as a company.
Not fun!
To the European union, it’s simple. If you do business in one of our countries, you should pay tax in that country.
This is visible in:
the rules on VAT
(https://quaderno.io/blog/what-you-must-know-about-vat-if-you-have-customers-in-europe/),
the rules on tax evasion
(http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012IP0019
or
https://ec.europa.eu/taxation_customs/business/tax-cooperation-control/administrative-cooperation/enhanced-administrative-cooperation-field-direct-taxation_en)
and the new rules coming into play in 2019 (https://ec.europa.eu/taxation_customs/business/company-tax/anti-tax-avoidance-package/anti-tax-avoidance-directive_en). Caused by again those same big companies Europe wants big companies to come clean about their taxes).
Everything goes like this
Big companies misbehave → EU changes rules → Big companies hire lawyers and are even willing to pay fines if necessary as everything plays out. Small companies suffer under the new rules.
Not much fun at all.
The EU is happy enough to trade within itself only as a cabal. If the big US companies try to trade without paying their taxes, instead of competing, the EU will set the lawyers and accountants onto them. They’re just using the old Mafia and Soviet Union play-books.
History has shown us that none of this will end well for the EU.
How can we compete when the rules we have to comply with are so much tougher than for companies in other trade zones?
The very strict EU rules kill competition. And you are correct, they then try to kill the others too, by using lawyers and accountants.
Europe is a bureaucracy when it comes to this.
The new rules are that: new
There are not many courts decided on details as well as not much personal to check.
For now we may not do much.
Next year maybe start making a list of what data we keep, why we keep it and how we process it, so we can show that document when someone asks.
Other things like using encryption, having backups, keeping software patched and maybe even audit functions to know who made what should be standard for you already.
Christian is right,
they are just new rules.
Most of them involve good practices that become rules, and we all already should be able to make the systems adequate.
To think that there should not be, it means to continue to have archives of users with passwords in clear, sale of information to third parties, even relating to the behaviors that have been deduced or that are easily deductible from the data. And this, in our connected world, is a real danger. These rules should allow us not to be involved in any “accidents”
So the minimum fine is 20 million euros? That’s pretty badass.
Seems pretty straight forward, whats the concern?
Just read the text. It states clearly “up to”.
I certainly didn’t mean to spread misinformation, and while I know I saw that yesterday (I read it three times because I couldn’t believe it), I can’t find it now.
I guess I’ll just leave it with this article:
https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
and a link to the actual text of the regulation (available in all languages of the EU countries, linking to the English one here, click and change the language if necessary)
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
To us the concern is the fine if they find you in non-compliance. We will not take the risk, so we’re working hard to comply.
Well, I just signed up for a training day at the training center nearby to learn about it.
let us know what you find out.
We already went to a presentation where they informed us on how to comply.
It’s mostly down to only storing the minimum information you need to do you job.
Making sure you either have permission to store this data, or be able to prove you need this data to be able to conduct your business, or need it as part of a legal requirement (ie filing paperwork with the government)
Making sure you store all data in a safe way
Making sure the data is accurate and up-to-date
Be able to prove you will only store the data for as long as you need it
Have a cyber-security plan in place, with provisions in place in case it goes wrong
Be prepared to list all the data you stored about a person upon request by that person (even if you have it on paper, ie businesscard)
Be prepared to delete data you don’t need to run your business if the person demands to be deleted from your database
If you do mailings with data you bought, make sure the company that provided you your leads is also compliant.
If you build automated systems to process personal identifiable data, be able to prove you built it with “privacy by design” and the setttings are “privacy by default” (for instance, a programmer for a company does not need to see if a customer of the company paid his bills in the software, whilst the accountant of course does need to see this)
check regularly that your company still processes data in compliance with the GDPR.
educate your employees on GDPR compliance.
Document everything about the way you work and they way you handle sensitive data (pictures, phone-numbers, IP-addresses, addresses, id-card nrs, bank account info…). This applies to filing cabinets and paper files as well.
That’s the short summary. We’re now adapting the way we work, and our software to be in compliance.
That’s one of the reason for when I attended at one of the preliminary presentation (it was just before they approved the new rules in their definitive form) it was hard for me to understand what was new.
I already used to to store only the needed data and I always asked a full document for every “extra” data (why you need it?, who need to access it?, how do you want to elaborate it?)
As I said before most of the requirements are about best practice that we should already follow.
Probably the bad news is that everything will controlled and reviewed by people that will not understand our work but will only ask what they expect to see and in the form they think it should be (I.E: actually there is not technical paper and usually lawyers are not IT technicians)
To add to this: keep in mind that the data set you use for debugging and testing is NOT your real life production data. We (mortgage BPO company) have to make sure that testers are not able to identify customers so we had anonymize our test data sets and/or ring fence our test servers (2000 VM’s) so that nobody outside the test domain can peek into servers, db’s etc. Heck of a job.
Small is beautiful. European agencies are notoriously under funded.
In France, we have a very strong of laws, but the CNIL agency does not have enough staff to go after each and every small operator.
I strongly suspect a great deal of the new regulation is inspired by the work of French and German law in the matter.
The European Commission will probably go after biggies such as Amazon, Facebook and Google, but I frankly doubt their radar will see microscopic businesses like mine or even bigger ones like Xojo.
Sure, we have a similar concept. Except that it is based around tax nexus. So if you have a tax nexus in a state, you pay there for your sales there, because you are effectively there. But if you aren’t there, then you don’t. In the American view, there is no tax nexus just selling to someone who happens to live in another country, no matter what the other country wants.
I think the EU already has its hands full with loads of large companies playing musical chairs with tax homes in Europe, and those companies have offices in Europe where you can send in some tax officers. Getting companies with no base at all in Europe to follow European regulations - well, good luck.
I think you know that taxation works a bit different in each US state. Some states have tax treaties with each other for sales tax collection. But then you have a handful of states where there isn’t a sales tax. So there isn’t any reason for that state to collect taxes for other states. Then you get people who buy in the sales-tax less states, and under their own state laws, they can be liable, but they know they can’t compel the sales-tax less state to do anything about it. They have to compel their own residents to pay up.
That’s why the American view is typically “talk with the Prez”.
Warning: this is a shameless plug please ignore if you are offended!
I have written a Xojo WebApp back end for a company (CyNation.com) who provide GDPR services. They have a web front-end (not written by me or in Xojo) that asks a series of industry-related questions (called CyReg) which gives you a GDPR score out of 100. This is free. If you want advice on how to change your business to become GDPR compliant, you can register and pay $$$.
https://cyreg.co.uk/gdpr-liability
I am not an owner or shareholder of the company, nor get any proceeds from any sales. If you do register and later want to be removed for any reason then please inform me.
Again, apologies for those with a sensitive disposition.