THE GENERAL DATA PROTECTION REGULATION
EU has adopted a new and comprehensive set of rules aiming to protect the data of EU citizens in a digital world.
Why have new rules been adopted for the area?
The current act on processing of personal data is based on an EU directive from 1995 (95/46/EC) which is no longer geared to handle the digital development we have seen over the past 20 years. As a result, the European Parliament and the Council have prepared and adopted a new regulation to replace the old directive. The new regulation is called the General Data Protection Regulation (GDPR). Apart from bringing the rules up to date, the purpose of the new regulation is to strengthen and support the digital internal market in the EU.
With the increasing digitalization and the new technological opportunities, the EU wants to increase the requirements to make sure that consumers are given more control of their own data – both in terms of protection of data and access to and use of data.
What is the General Data Protection Regulation?
Since the new EU rules are made up as a regulation and not as a directive as the previous one, it means that its text is not interpreted into legislation in the individual countries but is translated directly.
When does it enter into force?
The new General Data Protection Regulation enters into force on 25 May 2018, but all projects working with personal data already have to observe by the new principles. For example all systems development projects have to follow the privacy by design and privacy by default principles. This means that processing of personal data has to be considered right from the start of the development projects.
What does it mean to SDC's customers?
The General Data Protection Regulation operates with two well-defined roles. The bank is the controller whereas SDC is the processor. Both have to appoint a Data Protection Officer (DPO) or another person with similar responsibility who reports directly to the company's top management.
For example, the controller is required to offer end customers the possibility of exercising the right to be forgotten – and thus have all registered data erased (subject to the requirements of the Danish Bookkeeping Act). This involves new requirements for both processes and documentation.
Moreover, the controller is required to monitor and verify the processing by the processor of personal data.
What does SDC do?
Protecting personal data in a safe and sound manner is fully in line with SDC's normal business model. However, the new requirements for documentation necessitate major changes to the project processes. In addition, SDC's management has decided to update the IT security policy, IT incident management policy and to tighten the requirements for SDC's sub-processors.
Advantages with SDC
Generally, the Danish and Nordic financial sector adopts a high level for the implementation of the General Data Protection Regulation. SDC's management has given full support to SDC's personal data project and has, as part of an ambitious plan, decided to use the new requirements as a lever for a quality boost within the fields of data and IT security.