General Data Protection Act (GDPR) entered into force on May 25, 2018. It replaced the current law on the protection of personal data. The GDPR applied in all 28 countries of the European Union, thus unifying their diverse data protection regulations. On last May the period of two-year implementation of new regulations ended, during which companies had the opportunity to prepare for the upcoming changes. The new regulation aims to increase the level of personal data protection and adapt the scope of personal data protection to contemporary realities. From the day of entry into force, all entrepreneurs operating in the European Union are required to comply with the new guidelines on the flow and processing of personal data of individuals.
What does the GDPR act change?
The new act is to a large extent convergent with the current law on the protection of personal data. However, some of the rules under the old law were changed, while others completely abolished. The changes mainly concern the need to adapt the regulations to the changing needs in the field of data protection and processing. The most significant changes that the GDPR introduces in this connection are:
1. Replacement of the Information Security Administrator (SA) by the Data Protection Officer (DPO). SA was not an obligatory office, but nevertheless it was appointed by many companies. After the GDPR enters into force, entrepreneurs will no longer have a choice – the DPO will have to be appointed. This applies not only to companies, but also to all public institutions that collect and process data in their activities. The ordinance does not impose on companies the necessity of employing a new person from outside – the Data Protection Officer in the company may be, for example, one of the employees who has expert knowledge. The main tasks of the DPO will include monitoring compliance with procedures in the company and imposing sanctions in connection with violations.
2. Extending the rights of individual persons as a response to their dissatisfaction with the scope of protection they have been granted so far. This means for users – to increase protection and access to information, and for companies – to impose new obligations. The most important changes regarding the rights of natural persons include:
- The appearance directly the right to be forgotten. It consists in the fact that after providing a valid reason, each person may request the deletion of their data from the databases of enterprises or institutions. Previously, this action was only possible after receiving a court judgment, but from May 25, 2018 every person has this right.
- The right to transfer data was created, which is to save time by giving the possibility to directly transfer personal data to another administrator.
- Profiling, i.e. a procedure thanks to which we draw conclusions about other characteristics of their owner based on the collected personal data. In practice, we deal with it everywhere, for example, when looking for hair care products, we display hairdressing salon offers. Until GDPR it was a way to conduct marketing activities using data analytics. After the entry into force of the act, the user are able to raise objections in such situations.
3. The GDPR has introduced two new obligations for entrepreneurs: information and notification. The first are simply extended in relation to the regulation in the previous act. The entrepreneur has to provide the legal basis on which personal data are processed. The most visible effect of this change is even greater number of clauses on websites – companies have to inform about the safeguards used, certificates held and the intention to transfer data to a third country. As far as the notification obligation is concerned, it requires the so-called registry of violations, in which all cases of breach of security of data held by the company are collected. What’s more, the company have to inform the Data Inspector about these violations in 72 hours. If the risk of violating the rights of a given person whose data has been leaked is high, it will also be necessary to notify them.
4. In addition to the record of violations in the company, you also need to keep a record of processing personal data. This involves the need for data inventory – gathering information on the purposes of processing, data protection measures and who is their administrator in one place. This is an internal document of the company that does not have to be forwarded to any authorities – however it should be presented during the inspection.
5. Privacy by design and privacy by default, i.e. completely new security procedures introduced by the GDPR. The first is to ensure data protection while designing a specific product and service that the entrepreneur wants to release to the market. Privacy by default is based on limiting the collection of personal data by the company only to those that it needs in a particular situation. Therefore, there is a need to inform about the purposes for which data is being collected. It follows that such information may not be used for activities other than those announced – those which have not been agreed. The data must also always be current and correct.
Under the GDPR regulation financial penalties on entrepreneurs who have not complied with the regulations could be set by inspector’s office. What will their height be? Depending on the type of violation – 10 million euros or 2% of the company’s annual turnover, and in the case of gross violations up to 20 million euros or 4% of its annual turnover.
Who is affected by the GDPR?
The simplest answer is – everyone. The entire society – both citizens (individual persons) and entrepreneurs – feel the effects of changing the regulations. There are two groups to which the GDPR applies:
- citizens, due to the fact that everyone is the owner of their personal data, which are constantly processed by various institutions and companies,
- units dealing with the processing of personal data – institutions and companies.