The kind of changes in personal data protection that we are currently witnessing happen only once in 20 years. We chatted with Agnieszka Niechcialkowska, a Comarch Project Manager, about the issues connected with the implementation of the new data protection regulation, the new role of data administrators, awareness among businesses and the steps that still need to be taken.
Malgorzata Zabieglinska-Lupa: Starting from 25 May 2018, every organization will be obliged to ensure active and comprehensive protection of privacy. Companies will have to be able to prove that the personal data with which they are entrusted are secure regardless of changing business realities. How should a business prepare for the new regulation?
Agnieszka Niechcialkowska: There is very little time left until the new EU General Data Protection Regulation comes into effect, so any business that has not yet begun work on adapting to the new law could face problems after 25 May.
Simply put, in order to prepare a business for the new regulation, you need to ensure that all data are processed in accordance with the current law, which will expedite and simplify the process of adaptation. It’s essential that business owners familiarize themselves with the new requirements. Special teams should be appointed and trained for active involvement in the implementation. Each team should comprise members with various skill-sets, including lawyers, IT staff and organizational security specialists. All processes currently in operation at the company need to be carefully reviewed and verified, personal data processing systems need to be identified, and documents and procedures have to be updated. The next important step is to implement analysis and risk assessment processes for all company systems involved in the processing of personal data. Based on the results, security measures should be tightened and adapted to the requirements arising from the GDPR. It should be stressed that all members of an organization should contribute to and get involved in the process of change.
Malgorzata Zabieglinska-Lupa: Is the GDPR a technological, business or organizational challenge? How will it affect the functioning of organizations?
Agnieszka Niechcialkowska: The GDPR unifies personal data processing laws across Europe, which means that entrepreneurs who operate not only in Poland but in any EU Member State will be obliged to comply with a single law.
I am sure that the severe financial penalties that can be imposed on organizations violating the GDPR will have a huge impact. Of course, such penalties will be imposed on a case by case basis, but they may reach up to EUR 20 million or 4% of a company’s global turnover for the preceding financial year. The GDPR also provides for fines for less material breaches, amounting to 2% of global turnover for the preceding financial year, or up to EUR 10 million. It is a significant change that will certainly affect the functioning of organizations.
Certainly, adaptation to the GDPR will not be all plain sailing, as it will require an organization to undergo substantial changes. For example, the new law provides for the right to have personal data erased, in accordance with which every data processing entity will have to remove all existing copies of personal data at the request of anyone whose data is processed. This may cause some technical difficulties. I would like to mention another very important feature of the new law, namely the obligation to notify affected individuals of all instances of personal data breach. Obliging organizations to “tell on” themselves in this way may sound absurd, but it is nevertheless one of the requirements of the GDPR that comes into effect in May. Every organization will have to notify affected individuals of data safety breaches without delay, certainly no later than within 72 hours of becoming aware of such a breach. If the breach is likely to have an adverse impact on an individual’s rights, the person whose data has been compromised will also have to be notified. The GDPR will also affect organizations using or implementing systems relying on biometric data, as these types of data have been classified as sensitive. As an interesting side note, biometric data include not only fingerprints and retina/iris scans but also face recognition, hand geometry, signatures and even a person’s manner of walking – all kinds of data that allow us to identify an individual.
Malgorzata Zabieglinska-Lupa: How about ISO 27001? Can it help businesses prepare for and implement the GDPR?
Agnieszka Niechcialkowska: ISO 27001 can be treated as a starting point for meeting certain technical and organizational requirements that will help us to avoid potential personal data breaches. The information security management system already meets some of the requirements imposed by the GDPR, including encoding personal data, regular efficacy verification and testing technical and organizational measures implemented to ensure security of personal data processing, confidentiality, availability and integrity of systems and services, and quick recovery in the event of data loss. If a business gets ISO 27001 certified, it means that its operations meet the information security standards and that it is on the right track to becoming GDPR-compliant.
Malgorzata Zabieglinska-Lupa: GDPR is not the only hot topic of recent months. Businesses are increasingly relying on cloud solutions. Does the GDPR address the issue of processing personal data in cloud environments?
Agnieszka Niechcialkowska: Personal data processed in the cloud are subject to the same strict protection rules as “paper” data. There are no differences in this respect. Data administrators are legally obliged to observe the provisions of the GDPR with respect to individuals whose data are processed, including acting in accordance with the principles of purpose limitation, transparency and storage limitation. Every customer who wishes to use cloud solutions should, prior to signing an agreement, make sure that they will be provided with adequate technical and organizational protection.
Malgorzata Zabieglinska-Lupa: So, can we leverage cloud solutions and at the same time be prepared for the requirements imposed by the GDPR?
Agnieszka Niechcialkowska: Certainly. Cloud service suppliers should be prepared to provide this, and to ensure technical and organizational support. They should also have tools in place to enable them to meet the requirements of the GDPR. In addition, relevant service agreements should contain provisions guaranteeing that the obligations arising from the GDPR are met. Importantly, the GDPR obliges cloud providers not only to ensure suitable technical and organizational means of protecting data, but also to take responsibility for data protection.
Malgorzata Zabieglinska-Lupa: The GDPR has been making headlines for many months. This is a good thing, because it might mean we will pay more attention to the question of security, not only in the context of personal data protection but as a general topic. What can we, as employees of companies, do daily to better protect ourselves and our personal data on the Internet?
Agnieszka Niechcialkowska: This is a very good question, because actually everybody can take care of their security on the Internet. Remembering a few basic rules will help us to improve data security or just protect our privacy. We shouldn’t open files that come from unknown sources, we should regularly change passwords and, of course, we shouldn’t use one password for every online service. Using a password manager could be a good solution here. Let’s not forget about anti-virus software, either. When choosing online messengers, we should rely on those which use data encoding. To ensure greater security, it is also a good idea to encrypt hard drives of devices connected to the Internet, such as laptops, smartphones, etc.