Technological expansion and accelerated globalization in the new millennium puts in front of us new challenges in terms of protecting personal data. The volume of collection and exchange of personal data has increased. Also, it is noticeable that even individuals themselves, knowingly or unconsciously, make their personal data more and more accessible to the public, which can lead to abuse. Therefore, in 2016, EU legislative body has begun drafting a regulation on the protection of individuals with regard to the processing of personal data and the free movement of such data, which is applicable from May 25, 2018.
What is GDPR
GDPR (General Data Protection Regulation) relates to the processing of personal data carried out by organizations operating in the EU, if their activities are related to the provision of goods or services to EU citizens or their “behavior” is monitored, even though they are outside of the EU.
General Data Protection Regulation aims at facilitating the flow of personal data within the EU itself and transferring it to third countries and international organizations while ensuring a high degree of protection of personal data.
GDPR stipulates that:
- data processing must be lawful and transparent
- that the data collected must be accurate and, if necessary, updated, appropriate, relevant, and minimized
- to be kept in a form that allows the person to be identified, only for as long as is necessary to carry out the purpose of their processing
- to be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or illegal processing, accidental loss, destruction, or damage to data.
GDPR requires that anyone handling information must provide the right to transparent information, the right to access personal data and the right to correct incorrect personal data, the right to delete personal data, the right to oblivion, the right to restrict processing, the right to transferability of personal data and the right to object.
In order for these rights to be fully respected, the data processor must, first of all, obtain the written consent of the person whose personal data are processed. In order for the processing of data to be legal and legitimate, the consent must be unambiguous, clear, and voluntary, and the person is informed that his personal data will be processed for some purpose and that a certain time will be kept in an adequate manner, and that he is entitled to withdraw consent.
Implementation of GDPR
In implementing the provisions of the GDPR, each organization should in principle comply with several steps. Namely, it is necessary to initiate the harmonization of GDPR and analyze the existing system within the organization. Then, the challenges imposed by GDPR need to be presented to management in relation to the business policy. After that, the organizational structure of employees should be considered and include those with appropriate professional profiles in the procedure of classification of personal data being processed. The data should be classified according to the degree of sensitivity and vulnerability, as well as the degree of risk involved in processing these data. It is then necessary to carry out an assessment of the privacy impact (PIA) and, in the event of high risk to the rights and freedoms of the persons whose data are processed, the DPIA (Data Protection Impact Assessment). When a plan is made, it needs to be started with designing procedures and internal controls, which involve teaching staff, appointing or engaging Data Protection Officers (DPOs), and risk management.
After all, the organization is ready to monitor the processing of personal data, analyze and evaluate them and perform internal audits and after a certain period of time, checking their technical and organizational mechanisms for protecting personal data.
Penalties for breach of GDPR regulation
The implementation of the provisions of the GDPR (General Data Protection Regulation) should be approached extremely professionally, given the number of prescribed fines. Amounts range up to 20,000,000 euros or up to 4% of the total annual turnover for the previous financial year, depending on which provisions have been violated, so it’s important to have in mind penalties for breach of GDPR regulation.