Your company’s business is related to tracking cookies, the financial sector, health data, IT, HR? Your clients are individuals or you are processing data in online stores? This is the time to start preparations for the new General Data Protection Regulation.
In May 2018 the new GDPR (General Data Protection Regulation No 2016/679) comes into force and will replace the Directive 95/46/EU on data protection requirements. The GDPR will be directly applicable in all countries in the EU.
A lot of wrists are about to be slapped.
In the event of a breach, the supervisory authorities, among others the Estonian Data Protection Inspectorate, can impose fines of up to 4% of an organisation’s worldwide annual turnover, or €20 million. It will depend on which is higher.
So what is going to change?
Notification of data protection breach
When any noncompliance is detected, you must notify the authorities at once. All organisations have to notify the data protection supervisory authority within 72 hours of any data breach.
It should be noticed that absolutely all industries and sectors will be affected.
You cannot have and use personal data any longer. At least you have to have proper protection mechanisms at place.
Opposite of the ongoing situation, the burden of proof falls on the data collector. No presumption is applicable.
Compliance is non presumable, noncompliance is presumable.
You must prove to the authorities that everything is in order in your company.
Do you collect large amounts of data or data which can be seen as sensitive?
Then you need to appoint a specialist - a data protection officer (DPO) to monitor data protection issues. You should be aware that a DPO cannot depend on the data collector (your business) economically or non-economically and they are obliged to report directly to the management.
Appointing an experienced data protection professional to head your data protection compliance demonstrates your accountability.
The DPO could be a lawyer, an advocate or a person who has knowledge and experience in the area.
Where should you begin this process? And what actually changes?
There can be widespread scepticism - you might think that nothing will change or that this shouldn’t be taken seriously.
You might doubt or even ignore the change, but doing nothing can cost 4% of your worldwide turnover or €20 million, simply because of noncompliance.
Here are the three steps you need to take first:
The keywords are inspect, prevent and mitigate.
Start from your self-assessment, detect the risks
Self-assessment must be done by the company itself. Engage the IT, HR, sales directors or other staff. Draft your organisational structure, distribute duties, draft a questionnaire and finally detect where data protection needs to be improved.
Preventing is much simpler when you have analysed the risks. Just find the pitfalls or unanswered questions in your self-assessment report and consider your following actions.
Mitigate the breach risks
There are certain options put forward in the GDPR for mitigation of risks. You can delete the personal data, get consent, improve IT systems, and make personal data anonymous. Create effective protection systems in your organisational structure and business structure.
Pulling it all together:
The most reasonable action right now is to display a serious interest towards this big makeover.
Take the appropriate steps by: tracking down the risks and alerting, managing your internal processes by getting consent, creating the internal policies, erasing the data or making it anonymous.
Time is running out - with only half a year left, it might not be enough to make the necessary changes. You might need legal advice or even file a request to the Data Protection Inspectorate.
Accountability is the main principal of the new GDPR.
Lada Riisna is a Senior Associate and Head of Banking and Finance and M&A at LEADELL Pilv Law Office.
LEADELL law offices – Pilv in Estonia, Fogels, Vitols & Paipa in Latvia, and Balčiūnas & Grajauskas in Lithuania – are among the leading business law firms in the Baltic countries, providing services to business clients.