MoneyOnComputer

[mostakimvip05]

The European General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Its provisions will have to be directly applicable in all EU Member States. It brings new challenges for companies and other organisations, including the public sector (data subjects), in the area of ​​collecting and processing (using) personal data, i.e. data relating to natural persons: subscribers, users, employees, website visitors, prize draw participants, e-zine recipients and all other individuals with whom data subjects come into contact.

To say that this is a revolution would probably be an exaggeration; it is more of an evolution, but – from the perspective of those involved – for the worse.

It is impossible to ignore that the EU is clearly serious this time: if fines for violations have so far been left to the member states and in Slovenia were almost symbolic, now the maximum fine is EUR 20 million or up to 4% of the total global annual turnover in the previous financial year, depending on which amount is higher. Even in the case of imposing lower fines, the supervisory authority (Information Commissioner) will have to ensure that they are effective, proportionate and dissuasive. Weighing up whether it is not cheaper to pay a fine than to change a business process or model in certain cases is almost certainly no longer necessary.

Built-in and default privacy protection
The most important requirement of the GDPR is certainly that data protection becomes an integral part of business processes and decisions, from the time of their planning, and then also during their implementation, and the idea that data should be pseudonymized whenever possible. As a result, this means cyprus telegram data that those subject to the obligation will first have to determine what personal data comes to them in the first place, and then very closely monitor what happens to it throughout its “lifecycle” before they can even take “appropriate technical and organizational measures” to protect it. An additional challenge is posed by the principle of data minimization, i.e. processing only those data that are strictly necessary to achieve a specific purpose.

Another novelty is the mandatory reporting of security incidents, namely to the supervisory authority and, in certain cases, also to individuals whose data was compromised.

Amended definition of personal data; stricter conditions for the validity of consent for processing
The GDPR now also includes location data (e.g. data on the connection of mobile devices to base stations and geolocation data), so-called online identifiers (IP, MAC addresses) and genetic data as personal data.

At the same time, the GDPR tightens the conditions that must be met for consent to the processing of personal data (voluntary, explicit, informed and unambiguous statement) to be considered valid. Invalid consent means unlawful processing if there is no other basis for it. So forget about pre-ticked boxes, "hiding" consent in the text of general terms and conditions or contracts, or making the conclusion of a contract or the provision of a service conditional on consent to the processing of personal data that is not strictly necessary for the performance of the contract or the provision of the service.

When giving consent, the individual must have the opportunity to learn about the purposes of processing their data, i.e., information about what their data will be used for.

Data Protection Officer (DPO) and Impact Assessment
Data processing in the public sector, large-scale processing of sensitive data and large-scale regular and systematic monitoring of individuals (for example, but not exclusively, profiling) are examples that require the appointment of an "internal information officer" under the GDPR, who must be a data protection expert and must not have a conflict of interest (he must not be the person who determines the purposes of the processing of personal data at the data subject).

In addition to other tasks, the DPO is required to provide an opinion on the preparation of a data protection impact assessment, which is a mandatory preliminary step (and document) in cases where it is possible that the manner in which data are processed, in particular through the use of new technologies, could result in a high risk to the rights and freedoms of individuals. In certain cases, prior consultation with the Information Commissioner will also be required.

The time for GDPR action is...yesterday!
Given the above, it is clear that GDPR compliance cannot be achieved overnight and/or by a “copy-paste” approach, as measures and changes can only be undertaken after a thorough analysis of the situation and business needs. With less than a year to go until the GDPR comes into effect, it is high time to start regulating this increasingly important area now.