What is GDPR?
The distant vision of the draft data protection reform in the European Union becomes a reality. The EU's work on the introduction of uniform legislation launched in 2012 will soon come into effect. What does reform really mean? What is GDPR, RODO and what are the changes?
General data protection ordinance (GDPR, RODO) is an EU legislation containing provisions on the protection of individuals with regard to the processing of personal data and on the free movement of personal data. The Regulation was adopted on April 27, 2016. From May 25, 2018, after a two-year transition period, the RODO will become effective in EU Member States. GDPR comprehensively regulates the protection of personal data in the European Union. The main aim of the work on the regulation was to reduce the variation of regulations between individual Member States of the Community. The legislative act itself, in the form of a regulation, allows its direct application and does not require any special adaptation of the national laws of the individual EU countries. The changes are primarily intended to ensure the security of the pan-European personal data processing system.
The most important changes
The GDPR does not carry a revolution, it does not turn the world of data protection upside down. The process of change taking place and the transitional two-year transition period allows for taming with the coming changes and harmonious entry into the new legal order. The gradual path of evolution does not, however, mean the total absence of major changes that will affect entrepreneurs. The necessity of adjusting the processes and technical back-up, as well as the resulting duties, however, are changes to which and to which to prepare.
An important element of the new regulation - the definition of personal data - does not significantly differ from the current regulations. The GDPR explains the concept of an identifiable person, pointing out that it is sufficient to identify with an online identifier. The fact is that the IP address and the identifiers in the so- Cook will become personal data within the meaning of GDPR.
A large change is a way of expressing consent to the processing of sensitive data, in accordance with the regulation for this purpose, consent is expressly expressed in any express way. GDPR extends the range of sensitive data to biometric data. The issue of breaches of personal data protection is changing. GDPR introduces a restrictive obligation to notify personal data breach within 72 hours of the discovery of the breach by the data controller. The competent authority for this type of notification is (GIODO).
GDPR introduces a data protection impact assessment and prior consultation with the data protection authority - if the way data is processed, particularly with the use of new technologies, may pose a risk to the rights and freedoms of individuals identified.
Huge controversy raises a provision envisaging high administrative penalties for violating the protection of personal data. More serious infringements will result in fines of up to EUR 20 000 000 or 4% of total global turnover. Lighter scams are subject to a fine of up to EUR 10 000 000 or 2% of the total global turnover of the entity.
Another key change is the separation of the catalog of 7 principles of personal data processing, which sets the direction in which the whole system of security and protection of personal data follows. From the above it follows, among other things, the principle of protection of privacy by design, by default.
The RODO grants a number of new and broadly extends the existing rights of citizens. This includes, for example, the right to be forgotten (the ability to delete data from the database), the right to request data transfer, and the enhanced access and access rights of the citizen to his data.
Regulating in the EU also entails consequences for entities other than Administrators or processors established in a Member State. Entities, whether countries or companies outside the Union processing personal data relating to the trading of goods and services, are obliged to comply with the provisions of the Regulation.
Another key element of the change is the obligation of both the Administrator and the data subject to process the data protection inspector. This person must have expert knowledge of the protection of personal data. This obligation implies the obligation to prepare and maintain comprehensive records of processed data.
As you can see, the changes that the General Data Protection Regulation imposes on the need for companies to take concrete action. The regulation will inevitably generate costs associated with ensuring a high level of IT security. According to the IDC Research Center, in 2018, 34% of IT security spending in Europe will be associated with the adaptation of enterprise systems and processes to new legal requirements for the protection of personal data. Therefore, the process of customizing a company to RODO can not be fully excreted and forgotten. Of course, the help of experts and external consultants is not prohibited in this element, but it is important to remember that the company itself has acquired the necessary know-how on how to manage the area of personal data.