May 25, 2018 it is fast approaching. For people doing business on the Internet and for public institutions this is the last few months to prepare for the GDPR.
The EU regulation on the protection of personal data has significant consequences. Multimillion cash penalties, the obligation to report any security incident or the definition of procedures related to the protection of personal data - this is only a small fraction of what the GDPR directive contains.
Data protection and security at GDPR
The purpose of the new law is to unification the provisions on the protection of personal data in all 28 EU members. Regardless if you have own an online store, a web hosting company or sell a SaaS service - you have to enter the required security procedures.
What is the regulation about? What is his purpose? How to prepare an organization for new changes? We explain in this article.
1.Security of personal data
The main assumption of the GDPR regulation is the protection of personal data. In the virtual world, we leave more and more sensitive data. Improperly protected personal data can hit the wrong hands and be used by hackers.
From 25 May 2018, the Personal Data Controller, which will gain our data, will be required to inform us about the right to transfer them, the storage period and the intention to transfer them to other entities. At the same time, it will be obliged to provide a contact to the Data Protection Officer.
2. Register of processing activities
General Inspector for Personal Data Protection will no longer be obliged to register personal data files. From May 2018, the obligation to keep a register of activities rests with the organization.
3.Processor - new responsibilities
Processor is a person or organization that processes personal data on behalf of the Personal Data Administrator. In the light of the new regulations, they will also be responsible for maintaining the data register. In some circumstances processor will be able to appoint a Data Protection Officer.
4. Data Security Administrator - change of role and status
The EU regulation on the protection of personal data introduces the obligation to appoint the Data Protection Inspector. The earlier name of this position is the Information Security Administrator.
Persons who have agreed to the processing of personal data will be able to contact the Data Protection Inspector. He will also be subject to the obligation to contact General Inspector for Personal Data Protection.
5. Sensitive data and GDPR
At present, sensitive data includes all information that allows determining racial or ethnic origin, political views, religious, group and trade union affiliation. They also include information about the state of health, as well as judicial and administrative decisions.
The new EU regulation on the protection of personal data (GDPR) defines sensitive data as a specific category data. At the same time, it extended the category of these data to biometric and genetic data.
Biometric data includes physical, physiological and behavioral characteristics. The protection will cover such data as the fingerprint layout, the shape of earlobe, handwritten signature or walking method.
6. Increase the rights of the owner of personal data
The user will have the right to delete the data (previously known as the right to be forgotten). The user will have right to transfer personal data.
The owner of personal data has the right to request the administrator to immediately delete personal data concerning him.
The administrator of personal data is required to delete this data if it is no longer necessary to carry out the purposes for which it was collected, to process personal data for the purposes of direct marketing or the data subject has remove the consent to their processing.
7. Proactive approach to safety
The implementation of the GDPR requires companies to prepare appropriate protection and procedures within the company that will regulate the security of the data being processed. Companies are also obliged to train and prepare employees who will work with sensitive data.
At the early stage of projects data collection and processing, a number of procedures that protect personal data should be prepared.
8. Reporting of data breaches within 72 hours
The GDPR requires from institutions to report any incident related to leakage of personal data within 72 hours of violation. All incidents should be reported directly to the competent authority.
It is absurd that in the case of leakage of personal data, the directive requires that you "report" to yourself. If there is a theft or leakage of personal data, this occurrence should be reported to General Inspector for Personal Data Protection. In some cases, you should also inform the interested persons about this accident.
9. Financial penalties
The lack of implementation and compliance with the GDPR regulations on companies will result in very high fines. Financial penalties can amount to as much as 10-20 million euros or 2-4% of the annual global turnover of an enterprise. In public administration in Poland is concerned, the amount of penalties is expected at 100,000 PLN. All penalties will be imposed on companies proportionately and will depend on the scale of infringements.
10. Processing personal data of children
Parents will have a greater opportunity to decide on the presence of their children on the Internet. The data administrator will have to provide the child's guardian with the possibility to consent to the use of the data of a minor.
The consent expressed by the child, if it concerns marketing purposes or child's activity on social networks, may be invalid.
May 25, 2018 - entry into force of the GDPR
The new regulations on the protection of personal data carry very radical and serious changes. Adaptation of a company or organization should be started as soon as possible, because the implementation of procedures is a complicated process. On May 25, 2018, the date of entry into force of the GDPR, the company must function in according with the new regulations and according to clearly defined procedures.