General Data Protection Regulation (GDPR), a new Gordian knot for companies and Romanian authorities

In December 2016, after 4 years from the initial proposition, the European Council and Parliament have finally agreed on the General Data Protection Regulation (GDPR), that will come in force starting with 25^th of May 2018. GDPR offers a new general and more complex frame for data protection, with more obligations for any organization and the size, the complexity and the operational impact is unprecedented. GDPR is applied to any organization – regardless of its headquarters – that are processing and holding personal data about the citizens of the European Union.

The General Data Protection Regulation imposes to many organizations that one of the first steps to take in order to be aligned with the new regulation is to name a Data Protection Officer (DPO). IAPP (The International Association of Privacy Professionals) estimates that it will be more than 75,000 new certified employees necessary inside the EU to fulfill the compliance requirements of the GDPR.

Are the EU companies prepared? Are the Romanian ones?

Lots of us are asking who and when is going to certify and prepare such a big volume of specialists like the Data Protection Officer, thus in year we can respect the compliance requirements of the GDPR. I personally consider that we are still at the first step – awareness.

The impact of the GDPR

I will try to transpose a top 10 obligations that have the biggest operational impact, accordingly with the list made by IAPP:

1. The obligation to notice any breach in the structure of the IT security and of the access to personal data;
2. The obligation to name a Data Protection Officer;
3. The obligation to have the subjects consent before you can process his personal data, and obviously the proof of the consent;
4. Limit the personal data transfer in other countries that are not under the GDPR, a rule that raises many judicial implications;
5. The making of the consumers’ profile inside the marketing departments will be much more difficult, because the people will have the right to choose if they will give or not the access to their personal data;
6. The people will have more rights than they have now, like being notified regarding the processing activities, having access to the processed information and to correct the administrators regarding the inaccuracies
7. The controlling of the personal data processing changes, thus the detailed obligations of the regulation for the contracts made by entities that process data and controller can force some data operators to reevaluate their agreements with the suppliers to be in compliance. The data processors (a physical or judicial person, a public authority, an agency or another entity that process personal data in the name of the operator) have more tasks inside the GPDR and they also have a bigger responsibility for not being in compliance or for actions outside the authority granted by the controller (agency or entity that alone or together with other agencies or entities establishes how the personal data will be processed). However, the task of personal data protection as is seen by the GDPR, first of all belongs to the controllers. Thus, multiple entities specialized in this particular field have appeared and will continue to emerge, new certifications, in other words the transformation is total and generally valid.
8. Pseudonymization is a process through which the data are not anonymous but cannot be identified directly. Pseudonymization is separating the data from the direct identifications, thus linking to an identity is not possible without more information that will be kept separately. This process can significantly reduce the risks when the data is processed, in the same maintaining the utility of the data. Because of this, GDPR creates incentives for the controllers inside of the organizations to pseudonymizate the data they are collecting.
9. The conduct codes and the specific certifications can offer efficient means to demonstrate the compliance, but in this case, as the others, we are talking about a whole ”bible” that needs to be implemented. There will be organizations that will grant new certification and advice, and it is safe to deduce that lots of things will change in the European Union because of these new certifications.
10. Consequences for violating the GDPR: complex administrative procedures and big fines. More than anything, what will get the attention of the C-Level from any organization is regarding the sanctions and the fines. GDPR allows and encourages the regulation authorities to take up incredibly high fines, that can reach to 20 million euro or 4{9aa0400c31a0d01c2f7c7ddcba6c4fe95da63a3d2a600327922bd2799984742a} of the annual turnover, depending on which one is bigger.

Conclusions

The future does not sound well at all, but I recommend for the authorities or for companies to follow 4 simple steps:

The first step – Information and awareness: in this moment are more and more events dedicated to being informed on the GDPR, so you should participate at these events. The most interested parts from the organization are CEO, CIO, Legal and Marketing.

Smart Alliance – Innovation Technology Cluster organized an event where the main subject was GDPR, on 24th of May 2017, with a year before this regulation will come into force. More than that, it is the first Professional Association for the IT industry in Romania, that can offer the right solutions built on the requirements of the GDPR to help the organizations to get their IT department aligned with the suffocating tasks of the GDPR.

The second step – hire or name a Data Protection Officer – considering the complexity and the compulsoriness of this regulation, the best action is to hire as earlier as possible a human resource that can manage and create a plan to get the organization in line with the GDPR. Even though there is still a year, the time is actually quite short and the implications complex, involving many departments of the organizations; starting with the budget to modifying the marketing processes and the sales strategy. Thus, a dedicated person to coordinate the efforts of all the involved departments is more than necessary.

Step three – Implementing the IT solutions: it is extremely obvious that we will need automation to build and to respect the GDPR requirements. We are talking about an amalgam that is very stuffed with obligations and implications in the whole organization

From my experience there are 2 major strategies regarding the IT systems:

a) Management solutions for GDPR – risk management, reporting, the possibility of anonymity, erasing the data on request. In conclusion, a complex solution that must be integrated with all the existent or future IT security solutions that will be transposed in a Board Table of the organization and the way it operates personal data

b) IT security solutions – we identified 11 different solutions, starting with the classic ones, that the majority of the organizations already have, to solutions like Data Loss Prevention (DLP) and even more complex.

Step four: The aligning of all the internal processes inside the organization: if the first steps are implemented with success, especially the GDPR management solution, getting aligned to respecting the standards will be smoother. Also, will allow a monitoring compliance with these norms in order to avoid administrative measures or fines that can greatly affect the image and financial stability of any mature organization.

Source: Market Watch Magazine