The General Data Protection Regulation, known under the abbreviation GDPR, will come into force as soon as in May 2018. It envisions stiff fines for data controllers and processors, which is why many businesses are anxiously eyeing the future. However, in this area as in so many others, nothing is as bad as it may seem at first glance.
Authors: Anna Suchá, Markéta Pravdová
We already informed you in a previous issue of our newsletter that the GDPR, a Regulation which seeks to strengthen the protection of personal data and to unify the data protection rules on the European level, will come into force on 25 May 2018, whereupon it will be binding and directly applicable also in the Czech Republic. The GDPR affects everyone who works with information natural persons (private individuals), be it in digital form or in the form of physical „paper“ databases (card catalogues, archives).
Compared to the current legislation, the GDPR introduces substantially more stringent data protection standards. Still, fear of the GDPR is unfounded: a number of the mechanisms contained therein are already in place in the Czech legal system under current law, or have become established standard practice. True, the GDPR does contain numerous new rules, so that it is certainly advisable to diligently prepare for the new Regulation. These preparations should include, in particular, a GDPR audit, i.e., a critical review of the type and scope of personal data which is processed by your company, and the purposes for which this is done, along with finding the answers to various related questions. This is made easier by using a questionnaire which we devised and which we can find on our website. Based on your filled-in questionnaire, we will be able to analyze the impact which the GDPR will have on your company, determine whether you are subject to it at all, identify the necessary changes and adjustments, and prepare their implementation.
As a part of this work, it will likely be necessary to revise the agreements with data subjects, as well as the wording of the consent with the processing of personal data which you regularly obtain from data subjects (employees, customers, business partners, etc.). Internal policies and processes will also have to be carefully reviewed and brought in line with the Regulation; in addition, documents will have to be created which prove compliance on the basis of the principle of responsibility (such as a code of conduct). Last but not least, adequate rules should be put into place not only for the data processing itself but also for the communication with data subjects, and for the resolving and communicating incidents related to a breach of data security.
With us by your side, you need not worry about the GDPR, as we will gladly give comprehensive advice in this area of the law. If you are interested in our assistance, please do not hesitate to approach us – there is still time to prepare for the GDPR and implement the necessary changes. For more information, please click here.
Source: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC