In today's data-driven world, people are increasingly concerned about possible data breaches and the theft of important information. In order to protect its citizens, the EU Parliament adopted the General Data Protection Regulation (GDPR), which came into force on 25 May 2018. In this article, we are going to look at the key elements of the GDPR and offer you a simple checklist to see if you are fully compliant.
Try now: Data Protection and Security Toolkit
The idea behind the GDPR is quite simple: it is meant to give EU citizens the right to know and decide how their personal data is being collected, stored, processed, protected and deleted. Simple as it may sound, the regulation sets a very high standard and many companies find themselves struggling trying to comprehend its requirements and put all the necessary systems and processes in place.
However, non-compliance may result in hefty fines (up to 4% of annual global turnover), high legal costs and significant reputational damage. Therefore, we believe it is high time we all understood what the GDPR entails and took the steps to ensure compliance.
If you are wondering whether you are affected at all, then the answer is probably yes. Regardless of where your company is based, the regulation affects you if you supply goods or offer services to EU citizens or companies.
First of all, let’s examine the main elements of the GDPR in more detail.
Personal data is any information relating to an identifiable person, which can be used to directly or indirectly identify this person. It includes name, surname, address, email address, phone number, Social Security number, IP address, medical and biometric data, etc.
The conditions for consent have also been strengthened. According to Article 4(11), consent should be “freely given, specific, informed and unambiguous”. In other words, your request for consent should be easily accessible, intelligible and state the purpose of collecting data in plain language. It must also be as easy to withdraw as it is to give. For more information, see Be GDPR compliant: everything you need to know about getting consent in Jira and Confluence
It means that personal data must be obscured or anonymized so that it cannot be traced back to a person without additional information.
Data subjects have the right to be informed that their personal data is being collected and processed. You must also provide privacy information to the data subject at the time you collect their data (for the full text, see Article 13).
It means that data subjects can obtain information as to whether or not their personal data is being processed, the purposes of the processing, the period for which the data will be stored, the recipients to whom that data has or will be disclosed, etc. (for the full text, see Article 15).
It entitles the data subject to have the data controller erase their personal data without undue delay (for the full text, see Article 17). Now, this rule might be tricky to implement – on the one hand, you have to erase all the personal data completely, on the other hand, you don’t want to run the risk of losing valuable data which may be associated with the user, as data subjects are not just your customers, but also your employees. With our solution, Data Protection and Security Toolkit for Jira and Confluencem you can use simple JQL queries to anonymize personal data across Jira and Confluence without having to delete important information.
Breach notifications are now mandatory. It means that you must report all breaches to data subjects and supervisory authorities within 72 hours of becoming aware of the breach (for the full text, see Articles 33 and 34).
Ensuring compliance may be challenging, especially for smaller companies which might not have sufficient resources or expertise to handle all the requirements. In fact, many research reports show that a lot of companies are still not fully compliant. However, the stakes are getting high.
Some examples
We all remember the high-profile case of Google, an American technology giant, which was fined 50 million EUR at the beginning of 2019 for not properly disclosing to its users how their personal data is collected and stored across its services.
British Airlines
Later this year British Airlines were fined a record £183.39 million (1.5% of the company’s total revenue for 2018) following the data breach that took place the previous year. British Airlines were accused of poor security arrangements, which led to the leak of sensitive personal data, including credit card details and personal addresses, of hundreds of customers.
Österreichische Post AG
More recently, Österreichische Post AG, an Austrian post company, had to pay 18 million EUR for creating and selling a register containing personal data of millions of Austrian customers.
Deutsche Wohnen SE
Deutsche Wohnen SE, a German real estate company, are also being fined for failing to provide an archiving solution that would allow for the erasure of the data that was no longer necessary. The imposed fine amounts to 14.5 million EUR, which constitutes 2% of the company’s annual turnover).
As you see, the new legislation is going to affect everyone. Of course, you can have your fingers crossed and hope that your company will never be checked (which, we believe, is wishful thinking), or you can have your back covered with a useful tool for Jira and Confluence. See how it works in our YouTube video.
If you are not sure of your regulatory compliance status, you can check it by answering the simple questions below:
If you answered “No” or “Not sure” to any of the questions, you might actually be in trouble.
Many companies unknowingly overlook some aspects and think they have all the pieces in place — until a regulator comes knocking on the door or an unhappy customer complains whereupon the company discovers that its data protection system isn’t as robust as it was thought to be. Sounds daunting? We know exactly how you feel – after all, our company is also affected by the GDPR. That is why we have put together a team of our best professionals to develop a solution that will cover all your GDPR compliance needs. Keep ahead of the requirements and become fully compliant now in a swift and easy way with our solutions Data Protection and Security Toolkit for Jira and Data Protection and Security Toolkit for Confluence.
Follow us on LinkedIn, Facebook and Twitter, and subscribe to our newsletter to get regular updates, tips and special offers delivered directly to your mailbox.
Gain hands-on insights from live webinars
Supercharge your IT expertise
Discover best practices to improve your business
Permission to contact
After signing up, you will receive our monthly newsletter and occasional product updates and news. We will not sell or distribute your email address to any third party. View our Privacy Policy.