In May 2018 the GDPR will start to apply across the EU. It introduces severe penalties for non-compliance with its requirements and redefines the obligations of companies which process personal data. The new obligations refer to, among other things, setting up and maintaining security systems, monitoring of personal data security, and immediate reporting of any incidents involving loss of personal data. The first step is to conduct a risk analysis.
In the case of capital groups with several companies in different jurisdictions, it is highly recommended to coordinate efforts in those jurisdictions. The most common mistake which must be avoided is the lack of coordination between companies from different jurisdictions (it is certain that the regulators will cooperate cross-border). If the level of "adequateness" adopted in one country is different from the level of "adequateness" adopted in another country – it will make the defense against the regulator much more difficult. The assumptions made by companies from the same capital group should be consistent.
So far, the fines for non-compliance were trivial but from May 2018 – the fines will be really significant (4% of the annual turnover or up to 20 m Eur).
The purpose of introducing the new regulations is to harmonise the personal data protection laws and procedures across the EU. This is why it is recommended – for those who have companies in various jurisdictions - to coordinate efforts between various factories from different countries. The new laws define how companies should ensure the protection and security of the processed data – this refers not only to data controllers, but also to entities processing data on their behalf (the so-called data processors, e.g. outsourcing companies). Every company which processes personal data will be obliged to implement (a) procedures and policies and (b) technical measures ensuring the appropriate level of security of data being processed.
The GDPR does not say what technological changes should be implemented by each company. There are no ready-made solutions. The regulation says that companies which process the personal data are obliged to develop and implement such procedures and security measures that are adequate to the nature of the company's business and the level of risk of loss or unauthorised disclosure of data being processed. It is at the discretion of every company to determine the level of that risk and the type of the necessary security measures and controls.
Therefore, the first step in each case should be carrying out a risk analysis relating to personal data. The obligation to conduct risk assessment applies to every company which processes personal data. This analysis should be carried out by a team of lawyers and IT specialists as it refers to the identification of risk areas in a company (outsourcing, marketing, recruitment, debt collection, HR etc.) and the factual level of security for data. Such an analysis should be then the basis for the steps to be taken to improve the situation.
Back to list
February 04, 2019
The Act on Criminal Liability of Companies is being processed by the Polish Parliament. The new law can be passed even in March. The companies...Read more
January 31, 2019
2018 has been an important year for us. It has been abundant with International Bar Association activities and recognitions, which in turn has...Read more
January 08, 2019
Last month, I was asked to speak at the conference in Moscow at the Law Firm Management Committee of the International Bar Association. My task...Read more