New European Rules Are Knocking on the Door – General Data Protection Regulation
No matter where your business is based or how large it is, if it deals with personal data of EU individuals, it must comply with the new “GDPR Principles”.
There is only less than three months left until this major EU regulation on personal data protection comes into force. The General Data Protection Regulation (GDPR) will inevitably affect almost all entities which carry out transmissions, storage, sharing or other processing of personal data of individuals. Taking effect as of 25 May 2018, it represents not only a major breakthrough in the European data protection policy over the past two decades, but also significantly increases the compliance burden for the vast majority of businesses.
Consent of Individual
As the GDPR aims to redress the balance in favor of the individual, the key role plays a specific, informed and unambiguous consent of the subject of data, to be granted freely and revocable at anytime. Withheld or implied consents are no longer considered as GDPR-compliant. The existing consents granted in the past may still comply with the GDPR but only if they meet the new conditions. Anyway, it should be kept in mind that a consent of an individual is not the only legal ground for processing personal data.
Records of Data Processing
The major part of businesses will be obliged to implement procedures of keeping records on all activities concerning data processing. This also includes taking appropriate steps in terms of technical and organizational security related to data processing. In case of inspection by the relevant supervisory authority such records and related measures will be the key focus of examination.
Data Protection Officer
Certain data controllers and processors are obliged to designate a Data Protection Officer (DPO) equipped with sufficient expertise in data protection regulations and respective procedures. Performing of internal audits, monitoring of compliance with GDPR rules and basically complex supervision of all data protection processes within the company are the DPO’s main responsibilities. However, appointment of the DPO does not release the entities from their liability for potential infringements of GDPR provisions. The same applies to external DPOs which may be appointed under an agreement for contract data processing.
Notification of Regulator
Further, data controllers and processors must notify personal data breaches to the national data protection supervisory authority within 72 hours. Such authority in the Czech Republic is the Office for Personal Data Protection. A reasoned justification must be provided if this timeframe is not met.
Penalties for Non-Compliance
Failure to comply with the GDPR may result in severe consequences, such as a fine up to 4% of the annual global revenue or up to EUR 20 million, whichever is greater. On top of this, a negative impact on the company’s reputation and goodwill resulting from an unsatisfactory outcome of the inspection by the regulator should not be underestimated.
There is no doubt that the GDPR represents a great milestone in European data protection, strengthening the level of protection and changing the way of understanding personal data. To be GDPR-ready and compliant with all GDPR obligations, it is highly recommended to carry out a review of current policies and procedures. Companies should identify all potential gaps and risks arising from processing of personal data. Do not leave aside the review of current contracts incl. general terms, service agreements, employment agreements as well other policy documents.