Posted: by Jan Nawrot

Category: gdpr

"Does GDPR affect me?" is a common question among entrepreneurs.

Recently, there has been a lot of buzz around the new pan-European data protection regulations - the General Data Protection Regulation (GDPR). Why? As it turns out, entrepreneurs are unaware that this Regulation will enter into force on May 25, 2018, and that they must plan and then make changes to the management of personal data. According to a survey conducted by the DMA in 2016, for the question of how much the surveyed companies are prepared for inevitable changes, 46% of them expressed complete readiness, 24% said they were partially ready, while 30% thought they were completely unprepared.

To make sure you are among companies that are required to adapt to the new rules under GDPR, please check the infographic below:

GDPR schema

How can I prepare for the implementation of GDPR?

If after analyzing the infographics you know that you are one of the companies involved in the modification of personal information management systems, you should be aware of the quality and quantity of the upcoming changes. It is important that you familiarize yourself with the core GDPR checklist created for this occasion. Its tasks should be completed by May 25, 2018. The checklist consists of five key areas and activities which organizations should consider in their activities to be fully compliant with the Regulation:

The first area includes actions that fall into "gaps analysis" and compliance analysis (gaps analysis involves comparing actual results with potential or desired performance):

  • Review products and services which are offered in the company
  • Review collected data sets and owned management systems
  • Review current privacy notices and policies (including methods used for communicating to relevant individuals and obtaining their consent)
  • Review the current documentation related to privacy compliance
  • Review the current legal bases referring to the processing of personal data
  • Check the existing uses of children's data and sensitive personal data
  • Identify gaps in your compliance with the current EU law and GDPR
  • Identify and plan compliance actions related to GDPR

The second area involves establishing a management system in your organization:

  • Develop an accountability programme and the management review process
  • Prepare a compliance suite for documentation - develop a data breach registry, a data management registry, and privacy impact assessment
  • Select a data protection officer
  • Update policies for handling requests for access to information, materials and objects
  • Update and conduct training regarding data protection and management for company personnel
  • Make sure that there are technical and operational procedures to ensure respect for the rights of those who have provided their data, such as the right to forget, the possibility to transfer data, or the right to object
  • Improve the organisational compliance methodology

The third area is responsible for maintaining the clarity and meaningfulness of contracts and policies:

  • Check third party contracts related to personal information
  • Review the existing legal bases in the organization and confirm that they are sufficient within the framework of the Regulation
  • Create templates for agreements of data processing for third party service providers; agreements concerning the export, import and processing of intra-group data; control contracts with partners and external parties; apportionment of liability clauses
  • Verify and update public privacy notices, employee privacy notices and corporate policies
  • Implement an overarching data protection policy that combines all the rules and processes involved in maintaining the privacy of the entrusted data. Treat this implementation as a widely understood design process.
  • Review and establish the conditions determining agreement to privacy

The fourth area introduces actions to maintain an adequate level of security:

  • Determine whether the organization processes sensitive personal information, along with its kind and quantity
  • Check all cross-border data flows (between Europe and other continents); review and update the mechanisms used to export data
  • Check security protocols and consider integration of security measures specified under GDPR, including encryption and pseudonymisation
  • Review and update action plans in case of a data breach
  • Notify the staff about the rules regarding the obligation to report all security breaches
  • Draft security breach notification templates and a security breach response plan

The fifth area focuses on assessing the impact of privacy and personal data protection at the design stage:

  • Develop privacy impact assessment criteria
  • Treat personal data protection and the review of privacy as a design process (privacy by design)
  • Develop a privacy impact assessment protocol

In conclusion, the General Data Protection Regulation applies to all entities established in the European Union whose activities are related to the processing of personal data. GDPR also applies to businesses that do not have their headquarters in the European Union, but use data of the population of the EU area, offer their products and services, and monitor consumer behavior. This Regulation has been the biggest change in the approach to the protection of personal data over the past twenty years. It is expedient to review the company's security situation as quickly as possible and take action to become an economic entity fulfilling the provisions of May 2016. Market participants should be aware that any failure to comply with the rules will be severely punished by financial penalties of up to 4% of the annual turnover, or EUR 20 million.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to hello@sagiton.pl, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: hello@sagiton.pl.

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact