In May 2018 the GDPR will start to apply across the EU. It introduces severe penalties for non-compliance with its requirements and redefines the obligations of companies which process personal data. The new obligations refer to, among other things, setting up and maintaining security systems, monitoring of personal data security, and immediate reporting of any incidents involving loss of personal data. The first step is to conduct a risk analysis.

In the case of capital groups with several companies in different jurisdictions, it is highly recommended to coordinate efforts in those jurisdictions. The most common  mistake which must be avoided is the lack of coordination between companies from different jurisdictions (it is certain that the regulators will cooperate cross-border). If the level of "adequateness" adopted in one country is different from the level of "adequateness" adopted in another country – it will make the defense against the regulator much more difficult. The assumptions made by companies from the same  capital group should be consistent.

So far, the fines for non-compliance were trivial but from May 2018 – the fines will be really significant (4% of the annual turnover or up to 20 m Eur).

The purpose of introducing the new regulations is to harmonise the personal data protection laws and procedures across the EU. This is why it is recommended – for those who have companies in various jurisdictions -  to coordinate efforts between various factories from different countries. The new laws define how companies should ensure the protection and security of the processed data – this refers not only to data controllers, but also to entities processing data on their behalf (the so-called data processors, e.g. outsourcing companies). Every company which processes personal data will be obliged to implement (a) procedures and policies and (b) technical measures ensuring the appropriate level of security of data being processed.

The GDPR does not say what technological changes should be implemented by each company. There are no ready-made solutions. The regulation says that companies which process the personal data are obliged to develop and implement such procedures and security measures that are adequate to the nature of the company's business and the level of risk of loss or unauthorised disclosure of data being processed. It is at the discretion of every company to determine the level of that risk and the type of the necessary security measures and controls.

Therefore, the first step in each case should be carrying out a risk analysis relating to personal data. The obligation to conduct risk assessment applies to every company which processes personal data. This analysis should be carried out by a team of lawyers and IT specialists as it refers to the identification of risk areas in a company (outsourcing, marketing, recruitment, debt collection, HR etc.)  and the factual level of security for data. Such an analysis should be then the basis for the steps to be taken to improve the situation.

About the Author

Back to list

Read also