Implementation of the GDPR
The General Data Protection Regulation No. 2016/679 (“GDPR”), which comes into effect on May 25, 2018, unifies the personal data protection requirements across the European Union. As of this date each controller and each processor shall have the procedures for the processing of personal data harmonized with the GDPR. Fines for the violation of the GDPR are very high – up to EUR 20 mil. or 4% of the total worldwide annual turnover.
GDPR applies to every company, entrepreneur and organization that processes the personal data. If your company processes the data of its clients and/or employees, has a customer database, uses the data for marketing purposes, monitors the behaviour of its customers, has a camera system, etc., you are obliged to implement the GDPR in your company.
Implementation of the GDPR requires changes in internal processes as well as changes in relevant documentation. In order to implement the GDPR in your company, it might be necessary mainly to:
- reconsider the legal basis for the processing of personal data (i.e. consent, contract, legal obligation, protection of vital interests of the data subject, public interest, legitimate interest);
- modify the text of the consent with the processing of personal data,
- update the information to be provided to the data subject,
- update the data processing agreements with processors,
- maintain records of processing activities,
- introduce new measures to protect the personal data,
- train the staff in accordance with GDPR provisions.
Implementation of the GDPR requirements in the company may take even several months (depending on the quantity of personal data and complexity of processes), so we recommend starting with implementation of the GDPR as soon as possible.