The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR EU 2016/679), which replaces the European Union (EU) Data Protection Directive (known as Directive 95/46/EC), is a European privacy law. The aim of the GDPR is to strengthen data privacy and protection for individuals within the EU, both citizen and non-citizen, as well as the transfer of EU personal data outside of the EU. It became enforceable on May 25, 2018.
Does GDPR apply to my business?
The GDPR applies to any organization that processes and holds personal data of EU data subjects, regardless of whether or not the organization is a member of the 28 EU member states. The GDPR also applies to both citizens of the 28 EU member states, as well as any individuals transmitting data outside of the EU while traveling within the EU member states.
The 28 EU member states are:
| Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland |
France Germany Greece Hungary Ireland Italy Latvia Lithuania Luxembourg Malta |
Netherlands Poland Portugal Romania Slovakia Slovenia Spain Sweden United Kingdom |
Exactly what does GDPR mean to my business?
The GDPR was adopted in April 2016 and adds to the EU’s general policy of protecting citizen’s data. In addition to the notifications of collection and legal ramifications for misuse, there is also a requirement to obtain explicit consent, notify in cases of a hack or breach, appoint dedicated data protection officers and much more. For financial institutions, the new rules will require significant investments in compliance to ensure continuing access to the EU market. The new rules are also pushing firms to pseudonymize personally identifiable information (PII) prior to processing it, meaning that the data can’t be attributed back to a particular person. The pseudonymization of data allows firms to do some larger data analysis – such as assessing average debt ratios of its customers in a particular region — that would otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan. Read more.
How does Big Head address international transfers of data?
Big Head’s server bank is Privacy Shield certified to help ensure the proper level of protection for all data that passes through our system. Our server bank complies with EU data protection laws regarding the international transfer of data. Specifically, our server bank is self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield, which address the transfer of data from the EU and Switzerland to the US.
If I use Big Head’s hosting environment, do I have to comply with data protection laws?
YES, you must comply with data protection laws. When using Big Head’s services, the customer maintains ownership of the Customer Data and controls how such data is accessed and controlled. Because Big Head has no knowledge of the types of data that a customer stores in our hosting environment — all customers are responsible for ensuring compliance with applicable laws and regulations to protect such information.
