With 2018 just around the corner and the European Union setting a clock on raising the standards of personal data protection, companies are starting to prepare themselves for new challenges.
The General Data Protection Regulation (“GDPR”) approved by the EU in 2016 will enter into force on the 25th of May 2018 and all companies processing personal data need to be compliant by that time.
As compared to the current Romanian legislation which sets reasonable administrative fines and measures, the GDPR ensures that non-compliance is not an option by allowing the National Privacy Authority to impose fines up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors.
But this is not all. Along with a harsher sanctioning regime, the GDPR introduces new obligations for businesses and extends the rights of the individuals.
I. Does your company need to implement the GDPR?
GDPR applies to companies processing any information related to an identified of identifiable person, whether they are data controllers or data processors. From small businesses to multinational enterprises, personal data processing is part of the normal business activity: employees’, clients’ and contractual partners’ personal data processing, the use of online cookies, marketing campaigns and so on. Therefore almost each and every company falls under the GDPR requirements.
II. Which are the main changes?
The relevant changes from a business perspective are the following:
- new standards for data handling: privacy by design and privacy by default;
- new concepts: profiling and pseudonymisation;
- new requirements regarding extended information to be provided to all data subjects;
- additional requirements when processing is based on consent;
- types of processing and software must be adapted to ensure compliance with all requirements under the GDPR, including the tracking the data flows, exercise of new rights granted to individual such as the right to be forgotten, right to object to processing or data portability appointment of a data protection officer (either mandatory or just as a recommendation);
- direct responsibility established for the data processors (and not only in case of the data operators);
- a new procedure in case of data breaches, including a notification to the Supervisory Authority and data subjects;
- mandatory private impact assessments in specific cases and consultation of the Supervisory Authority;
- changes regarding the transfer of personal data to third country entities;
- the possibility to draw up codes of conduct or obtain certification;
- one lead authority for cross-border processing ("One-Stop Shop”).
III. GDPR compliance project
Taking into consideration the short period of time left for implementing all the above changes, if you have not yet updated your procedures, the best time to start complying with the new regulation is now.
In order to ease the process, we will weekly analyse one specific change considering the GDPR provisions, the available national and European guidelines available so far and also the proper way to put them into practice.