In May 2018 the GDPR will start to apply across the EU. It introduces severe penalties for non-compliance with its requirements and redefines the obligations of companies which process personal data. The new obligations refer to, among other things, setting up and maintaining security systems, monitoring of personal data security, and immediate reporting of any incidents involving loss of personal data. The first step is to conduct a risk analysis.
In the case of capital groups with several companies in different jurisdictions, it is highly recommended to coordinate efforts in those jurisdictions. The most common mistake which must be avoided is the lack of coordination between companies from different jurisdictions (it is certain that the regulators will cooperate cross-border). If the level of "adequateness" adopted in one country is different from the level of "adequateness" adopted in another country – it will make the defense against the regulator much more difficult. The assumptions made by companies from the same capital group should be consistent.
So far, the fines for non-compliance were trivial but from May 2018 – the fines will be really significant (4% of the annual turnover or up to 20 m Eur).
The purpose of introducing the new regulations is to harmonise the personal data protection laws and procedures across the EU. This is why it is recommended – for those who have companies in various jurisdictions - to coordinate efforts between various factories from different countries. The new laws define how companies should ensure the protection and security of the processed data – this refers not only to data controllers, but also to entities processing data on their behalf (the so-called data processors, e.g. outsourcing companies). Every company which processes personal data will be obliged to implement (a) procedures and policies and (b) technical measures ensuring the appropriate level of security of data being processed.
The GDPR does not say what technological changes should be implemented by each company. There are no ready-made solutions. The regulation says that companies which process the personal data are obliged to develop and implement such procedures and security measures that are adequate to the nature of the company's business and the level of risk of loss or unauthorised disclosure of data being processed. It is at the discretion of every company to determine the level of that risk and the type of the necessary security measures and controls.
Therefore, the first step in each case should be carrying out a risk analysis relating to personal data. The obligation to conduct risk assessment applies to every company which processes personal data. This analysis should be carried out by a team of lawyers and IT specialists as it refers to the identification of risk areas in a company (outsourcing, marketing, recruitment, debt collection, HR etc.) and the factual level of security for data. Such an analysis should be then the basis for the steps to be taken to improve the situation.
Back to list
Read also
July 08, 2024
The Polish Law on Protection of Whistleblowers, after being signed by President Andrzej Duda on 19 June 2024, will enter into force on 25 September...
Read more
June 26, 2024
When buying or selling a company, finalising the purchase price is key: buyers and sellers focus on the total price, which is often referred...
Read more
June 21, 2024
Grzegorz E. Woźniak was speaking this week on 'Best practice approaches to international recognition & enforcement of post judgements' with...
Read more