The new regulation will take effect from May 2018 in all of the EU countries. Though the deadline seems fairly distant, the scale of the challenges involved in meeting the requirements of the new rules is so big that it is necessary to begin preparing immediately. Onwelo, whose services include cybersecurity consulting and implementation, have the answers to the most frequently asked questions about these challenges.

Which companies have to adapt to the new rules?
The new personal-data protection rules will apply to all companies that process personal data automatically, including social media, e-shops, pharmacies, insurance companies and banks.

“We have to bear in mind that the new obligations affect companies and institutions that process the personal data of citizens of one of the EU states or process data – even at a very low level – on the territory of the EU because of the physical location of their headquarters or through having a branch of the company on the territory of a member state”, explained Rafał Głąb, who is responsible for data security services at Onwelo.

Do I have to employ a separate member of staff for personal-data protection? 
The GDPR says that it is obligatory to do so, but only for the following entities:

• all public entities other than judicial bodies  
• companies whose core activity is the processing of special personal data, such as information on ethnicity, race, sexuality, political views, religious beliefs or previous convictions
• companies that monitor people’s behaviour while at the same time processing their personal data (this definition covers Facebook and Google, for example)

Provided they can always be contacted easily no matter the geographical location of the company or institution, a person employed as a Data-Protection Officer or Data-Protection Inspector can be shared by a group of companies or institutions.

What is a Data Protection Impact Assessment and must I have one?
All companies that process personal data automatically and are therefore subject to the new regulations must produce a Data Protection Impact Assessment (DPIA).

The assessment must include a precise and systematic description of the purposes of the data processing and the operations that are planned in connection with it. It is also necessary to explain how the processing and operations are connected with the activity of the organisation.  Furthermore, the document must assess whether the processing is essential and proportional to the stated purposes and gauge the risk of breaching the rights or freedoms of the people whose data is processed. All organisations must set out the measures they plan to take to address a potential risk. Every time the risk changes, the DPIA must be amended accordingly – explained Onwelo IT-Security Expert Marcin Baranowski.

If the assessment finds that the risk of a breach of personal data is high, the data administrator must consult the regulatory authority before beginning data processing. This body will write to the data administrator within eight weeks, which can be extended to fourteen weeks, stating how the risk can be minimised.

What else do we need to know to avoid penalties?
GDPR introduces a number of changes to existing data-protection rules that must be reflected in companies’ regulations and privacy policies. It will, for example, be necessary to document, visibly and openly, the scope of the data and each of the places they are processed in, to complete all of the required consents, and to implement tools to monitor the data processing and generate alerts when irregularities are detected.

“Each case of a breach of personal data will have to be notified to the Office for the Protection of Personal Data (UODO), and to every person whose data has been breached. If contacting these people would require disproportionate effort, it will be possible, for example, to issue a public communication instead. A notification of a data breach must contain a description of the nature of the breach, the name and surname, the data administrator’s contact details, and an account of the possible consequences of the breach and the measures taken to address it. If the notification is not sent within seventy-two hours, it will also be necessary to attach a note giving the reasons for the delay”, explained Rafał Głąb.

Should we fear GDPR?
Implementing the new regulations will definitely be something of a burden – especially for small companies and e-shops. To adapt to the new regulations they will have to read the existing personal-data protection regulations, become familiar with the existing tools and procedures, and then update them according to the new rules. GDPR will also present a considerable challenge to companies that process high volumes of personal data and are therefore at greater risk of breaches. Using appropriate means, they will have to do everything in their power to protect and secure the personal data they process. Doing so will mean that they are not exposed to draconian fines.

“Having said that, we have to remember too that these regulations are being brought in to protect us all, and I think that it’s good that companies and institutions when they are processing our personal data will have to try to protect it in as secure a way as possible”, sad Rafał Głąb, summing up.

More information is available at: www.onwelo.com/gdpr.