This is the last call to implement the new conditions and procedures included in the GDPR General Data Protection Regulation adopted by the European Council and European Parliament in April 2016. Even though the Resolution enters into force in May 2018, the new regulations on personal data protection and processing require from the entrepreneurs a lot of work at their implementation.
There are severe pecuniary penalties projected for personal data processing not complaint with GDPR. The penalties may amount even up to EUR 20 million or 4% of the total annual global turnover for the previous year.
In the today's world of digitalization, the new regulations modernize the existing ones. What is important, the regulations alone constitute a set of general rules of conduct and they do not constitute ready solutions to be implemented in each company or organization. After all, this would not be possible because of the great diversification of needs in each industry branch and constantly changing conditions. Entrepreneurs will be obligated to analyse by themselves what personal data they are in possession of, what operations are conducted within them, what risks this implies, and finally, what optimized measures minimizing the risks are to be chosen. According to the new regulations, a company should construct the new solutions so that the personal data protection is considered even at the stage of project by e.g. introducing proper protection or procedures.
A lot of changes from 25th of May 2018 r.
From 25th of May 2018, the requirement to maintain documentation of personal data protection in the existing official form, i.e. Policy on protection and IT system management manual, will no longer be effective. They will be replaced by other types of documentation, e.g. documentation on violation of personal data protection or assessment of processing influence on the personal data protection. The new regulations will revoke the obligation to submit the personal data databases to The Inspector General for the Protection of Personal Data as well as the obligation to keep an open register of databases by the appointed administrator of information protection. The above obligations will be replaced by the requirement to keep a register of personal data processing procedures or a register of all categories of processing procedures performed on behalf of the administrator.
Another novelty for entrepreneurs processing personal data will be the obligation to use IT systems so that the persons whose personal data is being used may i.a. entirely delete the personal data ("the right to be forgotten"), transfer the data to another service provider or generate a file with all the personal data on demand.
In most cases, the demand of the person whose personal data is being used will be free of charge and the administrator of the data shall be obligated to provide the information about the procedures conducted in the scope of the demand within a month.
In case of violation of the personal data protection in the organization, the administrator of the data shall be obligated to submit such violation to the supervisory authority, i.e. The Inspector General for the Protection of Personal Data, immediately within 72 hours from discovering the violation, unless it is not likely such violation will result in the risk of violating the rights or freedom of the natural persons.
GDPR introduces many changes and novelties related to the currently applicable regulations and this study mentions only a few of them. It is worth to get to know the obligations which will apply to entrepreneurs today and immediately start the process of adjusting the existing procedures to the new regulations.