Technological expansion and accelerated globalization in the new millennium puts in front of us new challenges in terms of protecting personal data. The volume of collection and exchange of personal data has increased. Also, it is noticeable that even individuals themselves, knowingly or unconsciously, make their personal data more and more accessible to the public, which can lead to abuse. Therefore, in 2016, EU legislative body has begun drafting a regulation on the protection of individuals with regard to the processing of personal data and the free movement of such data, which is applicable from May 25, 2018.
GDPR (General Data Protection Regulation) relates to the processing of personal data carried out by organizations operating in the EU, if their activities are related to the provision of goods or services to EU citizens or their “behavior” is monitored, even though they are outside of the EU.
General Data Protection Regulation aims at facilitating the flow of personal data within the EU itself and transferring it to third countries and international organizations, while ensuring a high degree of protection of personal data.
GDPR stipulate that:
- data processing must be lawful and transparent
- that the data collected must be accurate and, if necessary, updated, appropriate, relevant and minimized
- to be kept in a form that allows the person to be identified, only for as long as is necessary to carry out the purpose of their processing
- to be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or illegal processing, accidental loss, destruction or damage to data.
GDPR requires that anyone handling information must provide the right to transparent information, the right to access personal data and the right to correct incorrect personal data, the right to delete personal data, the right to oblivion, the right to restrict processing, the right to transferability of personal data and the right to object.
In order for these rights to be fully respected, the data processor must, first of all, obtain the written consent of the person whose personal data are processed. In order for the processing of data to be legal and legitimate, the consent must be unambiguous, clear and voluntary, and the person is informed that his personal data will be processed for some purpose and that a certain time will be kept in an adequate manner, and that he is entitled to withdraw consent.
Implementation of GDPR
In implementing the provisions of the GDPR, each organization should in principle comply with several steps. Namely, it is necessary to initiate the harmonization of GDPR and analyze the existing system within the organization. Then, the challenges imposed by GDPR needs to be presented to management in relation to the business policy. After that, the organizational structure of employees should be considered and include those with appropriate professional profiles in the procedure of classification of personal data being processed. The data should be classified according to the degree of sensitivity and vulnerability, as well as the degree of risk involved in processing these data. It is then necessary to carry out an assessment of the privacy impact (PIA) and, in the event of a high risk to the rights and freedoms of the persons whose data are processed, the DPIA (Data Protection Impact Assessment). When a plan is made, it needs to be started with designing procedures and internal controls, which involve teaching staff, appointing or engaging Data Protection Officers (DPOs) and risk management.
After all, the organization is ready to monitor the processing of personal data, analyze and evaluate them and perform internal audit and after a certain period of time, checking their technical and organizational mechanisms for protecting personal data.
The implementation of the provisions of the GDPR (General Data Protection Regulation) should be approached extremely professionally, given the amount of prescribed fines. Amounts range up to 20,000,000 euros or up to 4% of the total annual turnover for the previous financial year, depending on which provisions have been violated.
If you need help with GDPR support, ITAF can help you with this. ITAF has developed a tool that allows you to fully comply with GDPR legislation in a simple manner and with minimal effort.
Contact ITAF for a free quote.