It will soon be two years since our first alert about new regulation on personal data protection.
25 May 2018 is approaching as the first day of application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). As expected, for entrepreneurs this year’s spring has been dominated by the GDPR. In all industry sectors intense works, also with our participation, are being conducted to implement new personal data protection standards.
Below we present a short TOP 5 for the major changes in the area of personal data protection.
TOP 5 changes
Necessity of risk assessment concerning data processing
Entrepreneurs have been imposed an obligation to verify whether and what kind of personal data they process, and then to evaluate whether and what kind of risk may be associated with such data processing (for personal data themselves or their owners).
Subsequently, entrepreneurs should assess what measures should be taken to protect personal data during their processing.
Privacy protection rule: by design & by default
In accordance with the principle by design, an entrepreneur controlling personal data is required to take into account, as early as at the stage of designing a certain solution for personal data processing (e.g., app, sales model, software) a number of issues relating to protection of these data, including state of technical knowledge, cost of implementation, nature, range, background and purpose of processing, as well as the risk of violation of natural persons’ rights and freedoms.
In accordance with the principle by default, an entrepreneur controlling personal data is required to ensure that subject to processing by default will be only such personal data that are actually essential for achieving the objective of processing.
New natural persons’ rights
New regulations emphasise natural persons’ rights in terms of their personal data. One of the most important is the “right to be forgotten”, which means the right to demand deletion and abandonment of processing personal data of a natural person. Another new natural persons’ right, which may be particularly important in sectors such as telecommunications, e-commerce, or finance, is the right to demand transfer of personal data to another controller.
Informing about infringements
Each entrepreneur that processes or controls personal data, is required to report to the Inspector General for the Protection of Personal Data the so-called incidents resulting in the infringement of personal data protection. Moreover, certain infringements (posing a major risk) have to be notified also to natural persons, whose personal data have been endangered or affected.
Violation of the GDPR regulations is threatened with really high financial penalties. Depending on the nature of infringement, a penalty imposed may equal even 20 million EURO or 4% of the total annual global income, depending which amount is higher. Moreover, the Inspector General for the Protection of Personal Data will also be equipped with other instruments, intended to make entrepreneurs to abide by the GDPR provisions.
Beyond the above TOP 5, the GDPR provides for many other obligations and rules concerning data processing and their protection.
The vast majority of the entrepreneurs are nearing the finishing line with work concerning their organization’s compliance with the GDPR requirements. Still, there are others who have not started yet their GDPR adventure. We wish all of them efficiency in implementing new standards of personal data protection