A new legislative procedure, somewhat enigmatically dubbed by its abbreviation GDPR has been hurtling us all over the place and the media bogey of punitive sanctions, offers of software products ensuring the implementation and significant adjustments to your new obligations might not have eluded anybody. But what are the practical aspects of the procedure? What needs to be accomplished and met? What are the real risks?
First of all, one needs to realize whether they are affected by the GDPR – let’s state that the new legislative framework regarding personal data protection is to become effective as of 25 May, 2018, and concerns all individuals, organizations and institutions, whether a commercial, state or administrative body, which processes and manages personal data of the EU citizens. What is more, not only are firms seated in the EU related to but also those which are located outside of the EU and monitor and offer their goods and services to the EU residents. The legislation aims to guarantee that the EU citizens’ personal data are to be processed solely for a specific, legal or explicitly articulated and legitimate purposes.
The scope of the protection are general personal data, such as name, sex, age or date of birth on one hand and technical details, e.g. email and IP addresses and the so-called cookies on the other. Newly, sensitive data like genetic and biometric data and personal data of children form a special category. It is obvious that the volume of data is enormous and contains information on vast number of persons including clients and providers of companies and their employees as well.
What does, then, the new legislation require from personal data processors and administrators, i.e. almost all of us? The fundamental principle of the new regulation is a process based on risk analysis and implementation of measures preventing a possible breach of personal data protection security. In practice, if subjects (the personal data processors) are investigated by the Office for Personal Data Protection (ÚOOÚ), they will have to prove that they have taken all technical and operational precautions and have set mechanisms that provide the personal data protection security. The assessment of the impact on the personal data protection, implementation of intentional and essential data protection, co-operation with ÚOOÚ, keeping records of personal data processing, appointing a personal data protection representative, obligation to report a breach of data protection security to ÚOOÚ, and securement of number of rights of physical persons, such as the rights to data portability and data erasure are among the specific obligations, which will inevitably result in revision of the current mechanisms and application of numerous intracompany changes which will be accompanied with substantial administrative, technical and financial burden.
Should the data protection security be breached, the physical persons in question may be fined up to EUR 20m and legal entities up to 4% of their annual turnover. Such penalties ought to prove a tool effective and deterring enough and the calculation of the actual figures will take into account not only the damage caused but also the specific measures the companies have taken in order to protect the data.
With the increasing number of cyber attacks and misuse of personal data, the risks of a personal data protection breach appear to be connected mainly with external interventions into companies. Rather a significant, potential hazards may originate within the company’s internal sources, for instance from dissatisfied or former employees, who dispose of detailed information about the activities of the company.
Although the GDPR requirements for each subject’s functionality are rather stringent, it seems obvious, as we are informed by the ÚOOÚ representatives, the office will take several aspects into consideration when investigating a possible case – one of the most significant being the efforts the company in question invested in meeting the legal requirements and prevention of the personal data protection security as it is apparent that such a breach or misuse of personal data cannot be avoided but merely minimized.
Since there are only eight months to prepare for GPDR, it is evident that the time has come to start implementing effective legal and IT precautions in such a manner that unprofessional or dilatory attitude towards personal data protection did not result in such severe sanctions which might have a destructive effect. Needless to say that they are the statutory bodies of companies that are primarily responsible for a timely and professional attention to issues connected with GDPR.