Now that the European Parliament had approved the General Data Protection Regulation (the Regulation), which will be directly applicable in all EU Member States, it is important for businesses to pay attention to what new requirements they must correspond to in order to ensure proper personal data management and processing.
The businesses have a transition period to implement changes according to their extent until 25th of May, 2018. It is highly advisable to start preparation procedures now, as starting from the effective date of the Regulation, companies, not in compliance with the Regulation, will be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In order to be prepared in compliance with the Regulation properly, we recommend:
– To ensure that any processing of personal data should be lawful and fair. It should be transmitted to natural persons clearly and in a transparent manner that personal data concerning them is collected, used, consulted or otherwise processed and to what extent this personal data is or will be processed. The principle of transparency requires that any information and communication relating to the processing of personal data should be easily accessible and easy to understand.
– To prepare personal data management policy. This policy shall discuss the essential principles of data management and processing in your company, as well as data subjects rights. Please note that the Regulation requires that information on data protection issues must be clear, presented in understandable language and easily available.
– To present novelties to employees. Make sure that employees are properly acquainted with changes in personal data control and management policies, new requirements of personal data protection as well as their responsibilities.
– To check legal grounds and documentation on which personal data is being managed. Under Regulation, consent to manage and possess personal data should be given as a clear act with confirmation that it is freely given. Consent must be specific and clear, that the data subject agrees with the management of personal data. Review the existing forms of consent and assess whether they are appropriate. Make sure that person is fully informed about data processing and data usage volume, and the consent of the person is given with a free will.
– To retain collected consents. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. It should be noted that in the event of a dispute regarding data management, it is the data controller who will have an obligation to prove that the data controller has received adequate data subject’s consent to process data, therefore we advise to proper measures to retain them.
– To check the lawfulness of the processing of personal data of children. According to new provisions, processing of personal data of a child shall be lawful where a child is at least 16 years of age. Where the child is below the age of 16 years, such processing shall be lawful only if (and to the extent that) consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
According to new provisions, processing of personal data of a child shall be lawful where a child is at least 16 years of age. Where the child is below the age of 16 years, such processing shall be lawful only if (and to the extent that) consent is given or authorised by the holder of parental responsibility over the child.
– To install supervisory mechanism for personal data protection, i.e. Privacy by design. The possession of such mechanism in all the processes will help to ensure data protection compliance in all stages of company’s activities as well as to avoid violations.
– To be prepared to deal with the request from data subject on rectification and erasure of personal data. Under Regulation, persons will be able to express their “right to be forgotten”, “right to rectification“ and “right to data portability, so businesses have to be prepared to handle them.
– To implement appropriate measures for secure transfer of personal data to third countries or international organisations. Under the Regulation, personal data might be transferred to a third country or an international organisation only if the data controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. For international organisations, we recommend to establish unified internal rules on data transmission.