GDPR is currently one of the most often frequently used abbreviations in the media. What is GDPR, who is affected, is it necessary to care aboutdeal with it and should you now change the processes your in your organization processes?
General Data Protection Regulation or the commonly used abbreviation GDPR is a Regulation 2016/679 of the European Parliament and of the council Council on the data protection of natural persons with regard to processing of personal data and on the free movement of such data. It is most probably the most complex jurisdiction legal regulation in the world, which is related to the topic of data privacy. It defines new terms, introduces new rights for natural persons, but mainly defines obligations for companies, which are processing private data of natural persons. After 22 years it will replace the still valid Direction Directive of the European Parliament 95/46/ES of the European Parliament and of the Council -, The Data Protection Directive.
The GDPR regulation will become effective from May 25, 2018 and will become directly enforceable in all the states of the European Union. In the Slovak Republic, the Office for Personal Data Protection (OPDP) had already proposed a new jurisdictionlaw, which is mostly reproduces copies the GDPR regulation. In 2018 it will replace the law n. 122/2013 Coll. on data privacy protection as amended Z.z. about the data privacy protection.
The Regulation extends the definition of personal data to any information about an identified or identifiable natural person (the concerned person). An identifiable person is a person who can be identified directly or indirectly, in particular by reference to a particular identifier, such as name, identification number, localization data, online identifier or one or more specific elements of physical, physiological, genetic, psychological, economic, cultural or social identity.
Significant change is the way in which consent is granted by the concerned person. Such consent must be free, explicit, conscious and unambiguous. It must not be part of the General Business Terms or any other directive or contract.
The minimization of data requirements is important. In practice, this means that only personal data that are necessary for the performance of the entity’s activities for a defined purpose and for a predetermined limited period can be collected (the current legislation allows the collection of personal data for an indefinite period).
Entities processing personal data of natural persons are obliged based on GDPR to report security incidents to the affected persons as well as to the public authorities within 72 hours.
Last but not least, GDPR introduces a new role of a responsible person (in the form of the Data Privacy Officer (DPO)). The GDPR directly defines the cases when it is mandatory to implement this role within an organization (for example, public authorities, entities whose main activity requires extensive legal and systematic monitoring of personal data, subjects and processors of sensitive personal data).
The obligation of the processors of personal data is also to keep records of the all processing activities.
GDPR brings many rights for individuals, such as the right to be informed, the right of access to information, the right of rectification and erasure – the right to be forgotten, the right to limit the processing of data, the right to data portability, the right to object, the right to information on a security incident. All of the above rights correspond to the current trends in information security and privacy. At the same time, however, they represent obligations for data subjects to process personal data, allowing individuals to exercise the above rights.
The Regulation brings new and higher penalties for violation. The still effective legislation in the Slovak Republic allows the Office to impose a fine of up to 200,000.- EUR for violating the law. Under the GDPR, the sanction has risen to 20,000,000.- Eur, or 4% of the worldwide turnover (whichever is higher).
In addition to the sanctions, GDPR also defines the right of compensation for damages caused by an operator or an intermediary if the natural person has suffered material or non-material harm as a result of a violation of the GDPR regulation.
With regard to the interest of the media in the topic of personal data breaches and the loss of sensitive information, it is also important to assess the impact of an incident on the threat to the organization’s possible loss of reputation.
All entities processing personal data of natural persons should be aware of GDPR. They are directly concerned by GDPR and are required to harmonize their business practices with this regulation from May 25, 2018, otherwise they are subject to the above-mentioned sanctions. In practice, this means that every organization that has employees; database of customers, suppliers or partners (if they are natural persons or natural persons entrepreneurs). We may find it dificult to identify an organization that would not be affected by the GDPR regulation.
The GDPR is an evolution, not a revolution, in the area of personal data protection. The Regulation develops and replaces current legal standards due to their obsolescence and a need of harmonization within the EU. It introduces new adequate rights and obligations in view of the current global trends in digitization and the rapid development of cybercrime.
Vojčík & Privacy has combined extensive international experience in the field of law, information security standards, and IT management and implementation experience. We offer clients modern, comprehensive and efficient solutions that meet international standards and valid legal regulations.