GDPR – Personal data protection in companies
PERSONAL DATA PROTECTION IN ENTERPRISE – IMPLEMENTATION OF THE GDPR
From 25th of May 2018, new personal data regulations will come into force. Current reconstructive implementation of the legal regulations will no longer be sufficient. Upon Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), new obligations will be imposed on entrepreneurs. From this day, the entrepreneurs will be compelled in involvement of building their own personal data protection system, which shall be adequate to the business profile of their enterprises. Financial penalty for default in meeting those obligations can reach up to 20 million euros or to the value of 4% of annual global turnover.
The GDPR requires that the entrepreneurs will solely determine the nature of the personal data
in their possession and risks associated with their proceedings. They will also be obliged
to implement appropriate safeguards.
We kindly invite You to co-operation. Our specialist will help You through the process of adapting Your organisation to the new legal regulations.
Internal audit
As a part of the service that our Company provides, we analyse the situation of processing personal data within our Client’s enterprise and, if needed, we indicate possible changes. The auditors
are especially interested in:
- nature of personal data which is processed (is it clients’, employees’ or contractors’),
- what is the purpose of processing this data,
- whether the method of data processing is consisted with the intended purpose (whether e.g. personal data, which should be processed only in purpose of performance of the contract
is not processed for the marketing purposes), - whether the Client is in the possession of consent for the processing of personal data.
Current status of security of personal data which is processed also should be determined. As a part of organization’s audit, a checklist is prepared, upon which a final report from audit is made with recommendation for further actions.
CREATION OF PERSONAL DATA SYSTEM OF SAFEGUARD
The next step is a suggestion of safeguards and their implementation. Depending on current situation, it will either be a matter of refining already existed solutions or creation of a new security system from the scratch.
There are 3 categories of security which should be implemented within a new security system:
Material – security of all of the documents containing personal data e.g. by assigning separate rooms in which such documents will be stored, with access limited only to authorized individuals with special cards/keys to this room or by installing a video surveillance system within area where
such documents will be stored.
Organizational – development and implementation of procedures and byelaws which protect personal data, conduction of training for the employees regarding the subject of principals of data protection etc.
Technical – implementation of security systems for computers, tablets, office telephones and other devices
or carriers on which personal data may be found. Proper organisation and security of a computer network, regulation on a matter of backup copies, password policy etc.
DEVELOPMENT OF NECESSARY DOCUMENTATION
Thereafter, the following, adapted to the organization documents shall be prepared:
- The personal data safety policy. In accordance with GDPR, entrepreneurs are responsible for the development of appropriate documentation which content shall depend on risk assessment for particular administrators of the data,
- Consent clauses in the scope of documentation of a contract for the entrustment of data processing,
- Information clauses for subjects, whose data was processed prior to the new regulations,
- The register of data processing operations. Such register is not mandatory for subjects who employ less than 250 people. However, the necessity of such system should be assessed in every enterprise,
- The model of reporting incidents regarding the personal data to the Inspector General for the Protection of Personal Data,
- The register of violations.
TRAINING FOR THE PERSONNEL, ASSESSMENT OF IMPLEMENTATION
As a part of our co-operation with the Client, our Company conducts necessary training for every person within the organization, who will have access to the processing of personal data.
We will also summarize the completed work by submitting a report of implementation of
personal data security system which was prepared for the Client.
After the implementation, for a limited duration of time, our Company will support You within
the range of the new personal data security policy.
