GDPR – revolutionary amendments to take effect as soon as from May 2018

23 October 2017 

In May 2018, personal data protection and processing laws will start to apply across the EU. The General Data Protection Regulation (GDPR) introduces severe penalties for non-compliance with the GDPR requirements and redefines the obligations of personal data processors.

The new obligations refer to, among other things, setting up and maintaining security systems, informing employees of risks, monitoring of personal data security, and immediate reporting of any incidents involving loss of personal data.

The purpose of introducing the new regulations is to harmonise the personal data protection laws and procedures across the EU. The importance of personal data protection is unquestionable, but the way this issue has been handled in the day-to-day practice has often left much to be desired.  Therefore, the GDPR defines how companies should ensure the protection and security of the processed data – this refers not only to data controllers, but also to entities processing data on their behalf (the so-called data processors, e.g. outsourcing companies). Every data processor will be obligated to implement administrative procedures and technical measures ensuring the appropriate level of security of data being processed, depending on the level of risk of loss or unauthorised disclosure of data to which a specific company is exposed. The amendments introduced by the GDPR will start to apply on 25 May 2018; thus, not much time has left for companies to prepare for the changes. First of all, it is worth knowing what changes the GDPR will bring, how they will affect individual companies, and how to prepare for the changes in a proper and timely manner.

GDPR penalties

What is most striking when reading the new provisions for the first time are the financial penalties for non-compliance with the GDPR duties.  They may reach as much as EUR 20,000,000 or up to 4% of a company's total annual worldwide turnover for the previous year, whichever is higher. As the penalties are severe, it is high time companies considered solutions that will suit them.

GDPR training for employees

A fundamental issue seems to be the informing of employees on how important it is to protect personal data and to give them training in how to follow the implemented procedures, and observe the new duties and the related restrictions. This is because no system will ever work if the people who are part of it neither know nor believe in its purpose. It is the employees, including those not involved in the handling and processing of personal data on a daily basis, who should know what a "data leak" is, how to identify it, and what to do if it occurs. Companies will be required to regularly train their employees in their internal procedures and implemented solutions regarding cyber security and organisational measures. It may also be worth discussing in more detail the changes to be introduced by the GDPR and explaining why this issue is key not only in the context of the penalties, but also in the broader context of data security that concerns all of us.

GDPR – changes in the procedures

The GDPR does not strictly specify what technological changes should be implemented. The EU legislators do not offer any ready-made solutions, they only say that companies will be required to develop and implement such procedures and security measures that are adequate to the nature of the company's business and the level of risk of loss or unauthorised disclosure of data being processed. It is at the discretion of every company to determine the level of that risk and the type of the necessary security measures and controls.  Apparently, this gives companies a lot of freedom, but it actually burdens them with a great responsibility. In cases of a breach, every enterprise will have to prove on its own to the supervisory authority that it made every effort to prevent any irregularities.

GDPR – the risk analysis

Before implementing a network security system, it is highly advisable to analyse the company-specific risk relating to personal data. Although the obligation to conduct an official risk assessment will apply only to some entities, it seems reasonable for every company to conduct such an analysis. As well as increasing the effectiveness of the data security system, such a risk analysis will be a good argument demonstrating to the supervisory authority that the company has exercised a high level of due care to secure personal data within its establishment.

System security testing

The changes will also introduce the requirement to regularly test the security of the implemented personal data protection systems. The past experience shows that most companies did not regularly or did not check at all whether their network security systems worked properly. Also in this matter the data controller will be free to make decisions – he will decide on both the frequency and the methods of testing. When making such decisions, the number of operations involving personal data and the monitoring of any incidents should be taken into account.

Obligation to monitor and report data leaks

The most important obligation is also the monitoring and reporting of data leaks. Reports on the loss or unauthorised disclosure of personal data should be filed with supervisory bodies immediately, however, not later than 72 hours of learning of the incident. This means that it will be necessary to take action immediately, which will be possible only with a well-functioning security system, adequate procedures and a high level of knowledge and awareness of this topic among employees. If, for some reason, the report is not filed within the set deadline, an explanation will have to be appended to the report to explain the reason for the delay.

The changes to be introduced by the GDPR will undoubtedly require huge workload and a high level of diligence from enterprises involved in personal data processing. Of course, the Regulation introduces many more solutions than the six fundamental responsibilities presented above. In the broader perspective, stricter personal data protection rules may benefit us all, both individuals whose personal data are processed, and legal entities who process the data. However, the identification of the current condition of security systems and the implementation of adopted solutions is a time-consuming process involving huge workload and resources. Nonetheless, it is advisable to start to deal with it as soon as now, before the Regulation becomes effective, and to properly analyse risks, develop a security system tailored to the entity's business, involve all employees in the process, and consult experts who deal with cybersecurity documentation and systems on a daily basis. All this to avoid unnecessary problems. Given the complexity of the requirements and changes to be introduced by the GDPR, getting ready today may help you avoid trouble and save resources in the future.