The General Data Protection Regulation (GDPR) is a new revolutionary EU legislation that significantly enhances the protection of personal data of citizens.
The regulation introduces a new principle called responsibility, which requires data s and processors, regardless of their size or number of employees, to implement technical, organizational, and procedural measures to demonstrate compliance with GDPR principles. Implementing the principle of responsibility will require substantial time and financial investments for businesses. It will particularly affect the following areas:
- implementation of intentional and necessary data protection
- preparation of Data Protection Impact Assessments (DPIA)
- appointment of a Data Protection Officer (DPO)
- implementation of pseudonymization of personal data
- keeping records of processing activities
- consultation with supervisory authorities before processing personal data
Pseudonymization refers to the processing of personal data in such a way that it cannot be attributed to a specific individual without additional separately stored and protected information.
Another principle related to responsibility is the obligation of data s and processors to keep records of processing activities for which they are responsible. Each and processor will be required to cooperate with supervisory authorities and provide them with these records upon request for the purpose of monitoring these processing operations.
GDPR comes into effect on May 25, 2018, and represents a new legal framework for the protection of personal data in the European Union, aiming to safeguard the rights of EU citizens against unauthorized handling of their data and personal information. GDPR applies to all companies and institutions, as well as individuals and online services that process user data.
The intention of the legislators was to give European citizens greater control over what happens with their data. Therefore, GDPR introduces significant fines for violations of the new, stricter rules and requires larger data processors to establish an independent control function called the Data Protection Officer (DPO). The role of the DPO is to oversee proper handling of personal data and report potential data breaches or law violations.
Personal data, as defined both in the current directive from 1995 and in GDPR, refers to any information relating to an identified or identifiable natural person.
General personal data includes name, gender, age, date of birth, marital status, as well as IP address and photographic records. Considering that GDPR also applies to self-employed individuals, organizational data such as email address, phone number, or various identification information issued by the state are also categorized as personal data.
In case of non-compliance, lack of implementation, or unpreparedness for the new regulation, mandatory subjects may face significant fines, which can be financially devastating in many cases.
GDPR, following the example of regulations on competition protection, introduces multiple times higher fines than we have been accustomed to. The maximum fine amount is 20,000,000 euros or 4% of the total annual turnover (whichever is higher) and will depend on several factors, such as the nature, severity, and duration of the violation, the number of affected individuals and the extent of damage, actions taken by the or processor to mitigate damages, the category of personal data affected by the violation, and many others.
It is important to emphasize that the maximum fine can be imposed on both small companies with five employees and large multinational corporations that fail to take necessary steps to comply with the principles and obligations arising from GDPR.
In addition to these administrative fines, data s or processors may also face claims filed by individuals seeking compensation for material or non-material damage. Furthermore, companies are exposed to loss of trust and reputational risks resulting from mishandling of personal data.