GDPR and its use
On 25 May 2018, the General Data Protection Regulation (“GDPR”) came into force, changing the way European companies process, protect and store information that identifies individuals. The regulation takes into account the development of technology and makes it possible to apply the same approach to data protection across the European Union.
Serious violations of its requirements may expose the company to a fine of up to EUR 20 million or 4% of the total annual turnover worldwide, depending on which value is higher.
GDPR is a European regulation whose aim is to increase and harmonize the level of data protection of all people in the European Union. By virtue of the GDPR, all entities that are the controllers or processors of personal data are obliged to take care of the data security of their employees, clients and suppliers. The companies have been obliged to make every effort to ensure that the principles of personal data protection are well understood and implemented in relevant functional areas.
GDPR is an additional effort and challenge for the vast majority of companies, but also an opportunity to organize data processing processes – not only in relation to personal data. Increased employee awareness in terms of business confidentiality, greater control over suppliers or documentation reduction are just a few of the benefits that companies have as a result of properly implemented data protection rules in line with the GDPR.
GDPR highlights:
- Penalties for non-compliance to 4% of global turnover.
- Broad definition of personal data: any information enabling the identification of a natural person.
- Data accountability – personal data in the company should be treated as money, the company should strictly control them and manage them in accordance with a number of rules.
- Shared responsibility of the Controller and Processor – the company is also responsible for the personal data entrusted to suppliers, co-workers or partners.
- Development of the rights of data subjects – the rights of individuals and the principles of their execution have been significantly expanded.
- Data Protection Officer – required for large-scale processing or specific data categories, useful and recommended in every company in any company.
- Reporting violations of personal data protection to PUODO (PL) – obligatory within 72 hours of its finding.
- Data Protection Impact Assessment – a new tool for the control and evaluation of applied data protection solutions.
- Data transfer – transfer of personal data outside the European Union requires additional data protection solutions.
- Privacy as a basis – the protection of personal data must be taken into account at every stage of designing new processes, products, solutions, systems.