May 25, 2018 will bring revolutionary changes in the field of personal data protection. The General Data Protection Regulation (GDPR) is very important from the perspective of entrepreneurs: new responsibilities and the need to adapt processes and technological facilities.
GDPR comprehensively regulates the protection of personal data in the European Union. The assumption of work on this regulation was to limit the diversity of regulations between individual Member States. The new legal provisions provide for a number of obligations that processors and administrators should meet in order to lawfully process personal data. GDPR requires that personal data controllers and processors analyze the level of risk and, based on its assessment, decide on the type and scope of technical and organizational measures for data protection. Importantly, the GDPR will not strictly regulate organizational or technological data security guidelines. You will need to evaluate yourself and decide what and how to make it safe.
In addition to analyzing the level of risk, an important requirement resulting from GDPR will also be to ensure accountability, i.e. to demonstrate that the law is being observed. Companies should not downplay these requirements because with them a new system of financial penalties is being introduced that will threaten companies not complying with obligations under GDPR. The penalty can amount to up to 20 million euros, or up to 2% or 4% of the company’s annual turnover.
Another significant change in relation to the current legal status will be the obligation to appoint the Personal Data Inspector – the equivalent of the current Information Security Administrator (ABI). Currently, there is no obligation; after the entry into force of GDPR, some entrepreneurs will have no choice and will have to find the right person. This applies above all to those entrepreneurs for whom the processing of personal data is the basis of activity and those who process personal data in a technologically advanced manner, e.g. they monitor the behavior of natural persons, analyze behavior patterns of specific persons and make decisions that may affect such persons. person to influence.
GDPR is not only an obligation but also a facilitation. The entry into force of the Regulation will abolish, among others obligation to submit data sets and update them.
IT will have a very large share in the proper adjustment of the company to GDPR records. It is necessary to ensure a high level of IT security, including due to the need to maintain control over the places where data is stored, the possibility of guaranteeing a specific period of data retention, modification and deletion, including from unstructured data and from backups. Adaptations will also require processes related to obtaining consent for data processing and classification of data.
GDPR introduces a broader catalog of information obligations that we will have to perform when collecting data. You will be able to collect them further, remembering that we need to reliably inform, and where it is necessary – ask for consent for the processing of personal data. It is worth remembering that the fact of withdrawing consent will need to be properly documented. For the purpose of demonstrating the compliance of the processing with the law, we will be obliged to store information about who gave consent, when it did, to what extent and what information was provided to him when receiving consent.
According to the IDC analytical center, in 2018 34% of expenditure related to IT security in Europe will be related to the need to adapt business systems and processes to new legal requirements regarding the protection of personal data.