Three Months Before the B2B Mandate in Germany: Questions Arise About Reform Preparation
The B2B mandate in Germany, set to take effect on January 1, 2025, marks a crucial step in the European…
Generix & Open Sky Group Advance Their Joint Mission to Accelerate Supply Chain Digitization in North America View the press release
The General Data Protection Regulation, or GDPR, is a regulation imposed on a European level that applies as of May 25, 2018 to all companies operating in the EU. Goal: regulate how companies, whether or not physically based in the EU, use customer data. This is a significant strategic challenge for companies because major financial penalties apply in the event of non-compliance (up to 4% of a company’s worldwide turnover).
This new regulation reinforces professional obligations in terms of personal data processing. Unlike the approach initially taken in France by the French data protection agency (CNIL), the GDPR does not impose prior notification. Companies must be able to attest, at all times, their compliance with data protection regulations, most notably by maintaining a record of processing activities.
According to the GDPR, personal data means any information relating to an identified or identifiable natural person: identity, a contact email address, contact details, IP address, etc. All companies with customer databases are thus affected and must, as of now, enter into a transition phase.
The notions “Privacy by design” and “Privacy by default” reveal the need to consider personal data protection right from the start of project conception. This mechanism also means that only the data necessary for the company to achieve its objectives, which must be clearly conveyed, must be collected and processed.
To comply with the GDPR, the way new information systems are conceived will have to change and certain existing IS will have to be entirely redesigned. “Privacy by design” particularly affects software developers and companies seeking to implement data-driven tools, such as a CRM.
To facilitate the application of measures in company, the GDPR has created the position of a data protection officer (DPO). Designating a DPO is mandatory in:
Companies that are not initially bound by this obligation should also designate a DPO to demonstrate that they have understood the magnitude of data protection challenges.
Designated based on their expertise in law and personal data protection, DPOs take on the role of conductor to govern data protection in the company. Their tasks include:
In addition to designating a DPO, the GDPR also establishes the obligation to provide notification of data breaches. This obligation falls on the controller/processor who is in charge of notifying the data protection authority of breaches.
For all new projects involving the processing of personal data, the instructing party and its controller must first determine if the project will affect the privacy rights of the people involved. If the answer is yes, they must show that the project complies with the notion of “Privacy by design”. It is important to highlight that the subcontractor is no longer in charge of doing this prior work, which now falls under the responsibility of the instructing party.
The GDPR also provides the right for individuals to be given back the information concerning them that companies have processed. This data can then be transferred to a third party if needed.
In order for companies to be able to respond to requests for data, they must implement a system for accessing all data collected on an individual. These companies, which may be pharmacies, banks or insurance providers, are now obligated to transmit all data in unencrypted format to the person in question or another controller.
This measure, established before the publication of the GDPR, has been made explicit with this regulation. In order to collect personal data, the customer must be aware and freely give his or her specific informed consent. This consent corresponds to a defined purpose and cannot be attributed to a set of applications, no matter how similar they may be.
In order to secure company operations, data collection and processing will have to be standardized, which represents a major investment for marketing departments.
The B2B mandate in Germany, set to take effect on January 1, 2025, marks a crucial step in the European…
Following the October 15 announcement regarding the abandonment of the PPF development, the DGFIP and its partner AIFE are ramping…
For several years now, e-commerce has been disrupting supply chains—and this trend is here to stay. In 2020, global online…
Work with our team to build your ideal supply chain software stack and tailor it to your unique business needs.