The GDPR (General Data Protection Regulation) is considered the most extensive regulation at the European Union level about everything that means personal data so far. Being a law that affects us all, we discussed with the Campan & Țimonea Law Firm on this subject, who made a brief summary about the conditions, implementation procedures and other implications of commercial companies.

EU REGULATION 2016/679

Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – GDPR (General Data Protection Regulation) cannot be compared with many of the regulations issued so far by the European Union, given the impact and breadth of the measures they stipulate.

The provisions of this regulation are not optional and cover all activities in any sector and field, regardless of the size of the business, because the measures provided for affect all activities involving information – the GDPR has information as a central point of interest – more specifically, everything related to the processing of information, i.e. the collection, recording, organization, structuring, storage, adaptation or modification, extracting, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, deleting or destroying information.

Deadline for application of the Regulation

25 May 2018 is the date on which the Regulation starts to take effect.

To whom does the Regulation apply?

All natural or legal persons, public authorities, agencies or other bodies that process or have access to personal data – ANY information relating to an identified or identifiable natural person (“data subject”), directly or indirectly.

So, respecting the proportions, the Regulation targets ANY ENTITY regardless of its object of activity.

Who is responsible for verifying compliance with the Regulation?

In Romania, the National Supervisory Authority for Personal Data Processing – ANSPDCP will carry out the checks and apply sanctions on behalf of the EU.

How is the Regulation applied?

The new Regulation is not a Directive, so it applies directly to all entities concerned, without the need for adoption at the level of national legislation. It replaces Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data.

It is necessary to implement technical and organisational security measures to effectively implement the principles of data protection.

It is also necessary to minimise the data processed and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of data subjects.

Material scope

• All data that is part of a data record system or that is intended to be part of a data record system:
• Data processing carried out in whole or in part by automated means
• Data processing by means other than automated

Territorial scope

• Operators registered in the EU: All activities of a controller or processor registered in the territory of the Union, whether or not the processing takes place in the territory of the Union
• People in the EU: Processing of personal data belonging to data subjects located in the Union, by a controller or processor not established in the Union, where the processing activities are related to:
• offering goods or services to such data subjects in the Union, whether or not a payment is requested by the data subject
• monitoring their behaviour if it manifests itself within the Union

Getting Started

The regulation contains a multitude of provisions applicable depending on the profile of the organization and also introduces a series of requirements that MUST be complied with regardless of the type of entity. Explicit consent, security breaches, personal data protection officer, children’s rights, implicit data protection, data protection by design, international data transfer are the key concepts that the GDPR Regulation addresses.

Some of the most important notions to consider:

DATA SUBJECT (directly or indirectly) a person identified or identifiable by means of an identification element, such as a name, an identification number, location data, an online identifier, or one or more specific elements, specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, regardless of the source of the data (mobile equipment, computer applications, IP addresses, cookies, RFID tags, etc.).

PROCESSING of personal data means any operations, physical or electronic, or on a set of data or sets of personal data, such as: collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying them.

DATA CONTROLLER means the natural or legal person, public authority, agency or other body that, alone or personally.

PROCESSOR means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

PSEUDONYMIZATION means the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures that ensure that such personal data is not attributed to an identified or identifiable natural person.

ENCRYPTION means a technical protection measure that ensures that personal data becomes unintelligible to any person who is not authorized to access them.

Rights and obligations

The data subject has the following rights:

• Right to information and access to data
• Rectification or erasure of data (right to be forgotten)
• Restriction of processing
• Right to object to processing
• The right to data portability
• The right not to be subject to an individual decision
• Right to object

The data controller/processor must ensure:

• Means of obtaining explicit consent
• Availability and resiliency of machining systems and services
• Security of data access and transfer
• Periodic testing and evaluation
• Data Integrity and Privacy
• Pseudonymization and/or encryption of data
• Processing Record
• Submission of attack notifications within 72 hours
• Restoring data and access to it in the event of an incident

Challenges

The main challenge that the implementation of the Regulation will bring is essentially reforming the entire workflow within each organisation so that, by the time of Q0, 25 May 2018, compliance can be declared. A rigorous approach will consider both dimensions of the data flow in an organization, namely:

• information traded in internal workflows, including those of departments such as human resources, finance/accounting, etc.
• information traded as a result of the organization’s object of activity.

What type of data regarding employees, customers, collaborators does the organization collect/access?

• Who has this information?
• To whom is the information shared?
• What is the source of the information?
• How can information flows be controlled?
• How can security breaches be managed?

Answering each of these questions will bring the organization one step closer to GDPR compliance, regardless of the targeted workflow.

Another challenge is to maintain the results obtained as a result of the implementation of the measures provided for by the regulation, respectively to maintain compliance both at the level of internal work processes and in terms of workflows with third parties, customers or suppliers. However, and despite the challenges, the implementation of GDPR measures should be seen as an opportunity to understand, organize and optimize information transactions in the organization, as Y2K projects have essentially brought an improvement in information systems.

GDPR compliance

Where do we start?

To begin with, it should be emphasized that the implementation of this Regulation will not affect a single department of the organization to which you belong, but rather concerns the entire activity. Therefore, in order to ensure the most rigorous implementation, it is necessary to involve a multidisciplinary team that will include, depending on the type of activity, the manager, the legal department, the human resources department, the customer managers, the auditor, etc.

It is also important to note that establishing compliance is not only achieved by involving a project team, imposing new organizational procedures, involving lawyers in the process or using IT tools, but also by using complementary procedures and tools. First of all, in order for an organization to achieve its goal imposed by the GDPR Regulation, namely to achieve compliance, it is necessary to understand it as well as possible and, above all, it is necessary to identify those provisions of the Regulation that apply to the organization.

At the same time, knowing the data that the organization has and how it is currently managed is another very important aspect that needs to be known. Although it may seem complicated and difficult, these two actions (a rigorous inventory of the data and structuring the information contained in the Regulation on the measures affecting the organization) will represent

the basis for a plan of activities that will have to be drawn up in order to have an overview of what will follow. Of course, as many details as possible related to the current situation will increase the precision with which the work plan will be drawn up. Knowing aspects such as: how consent is currently obtained, where the data is stored, who stores it, who accesses it, etc. will also be very useful for identifying the current vulnerabilities of the organization from the point of view of the

GDPR, but also for identifying measures to eliminate them.

To conclude, we believe that the starting point in the process of aligning with the GDPR provisions is represented by the moment when the collection of information about people and how to manage them in the organization is initiated.

THE NECESSARY STEPS TO BE TAKEN FOR THE COMPANY’S COMPLIANCE WITH THE EU REGULATION

I. ANALYSIS.
How is the analysis done within the company?

Conducting an x-ray of the organization, from the point of view of personnel, to identify stakeholders and those responsible for complying with the policies and procedures governing the processing of personal data. Depending on the type of organization, the Data Protection Officer (DPO) will also be identified

Quantifying the existing material resources and those used for data management will provide an overview of the level of technical consistency with GDPR objectives.

To document as rigorously as possible the data processing activities and to make an inventory based on the questions: who, what, where, when, why, how?

Details related to international data transfers both within and outside the EU must also be identified.

Detailed description of the current way in which data protection is ensured, in order to assess what needs to be updated or newly introduced to comply with GDPR requirements

II. PLANNING.
How is planning done within society?

Working procedures in accordance with the provisions of the GDPR

Updating existing work procedures, but also defining new measures to ensure compliance with the GDPR.

It is recommended to develop an internal code of conduct that includes mechanisms to demonstrate compliance with the GDPR or adherence to approved codes of conduct.

The main advantages that a code of conduct offers:

• increasing transparency and accountability
• providing means to resolve crisis situations
• establishing best practices on the GDPR

Technical measures to ensure the provisions of the GDPR

Establishing the means to be implemented to:

• Get explicit consent
• Ensures the availability and resilience of processing systems and services
• Ensures secure data access and transfer
• Ensures data integrity and privacy
• Provides pseudonymization and encryption
• Ensures data lifetime and deletion tracking
• Ensures portability
• Keep track of processing
• Deleting data

Data transfer, including international transfer

Establishing the necessary measures to be able to carry out international data transfers legally both within and outside the EU.

III. IMPLEMENTATION
How is the implementation done within the company?

Once the compliance framework and the necessary measures to ensure compliance are defined, concrete steps will be taken to apply the GDPR provisions. Implementation/configuration of the technical means that allow the management of personal data in accordance with the provisions of the GDPR, taking into account the volume of data collected, the degree of its processing, the storage period and its accessibility.

These means must ensure at least:

-Obtaining explicit consent

• Data Availability, Integrity, and Privacy
• Resilience of processing systems and services
• Security of data access and transfer
• Restriction of data processing
• Pseudonymization and data encryption
• Lifetime tracking and data deletion
• Data portability
• Keeping track of data processing

Infrastructure modification can take very varied forms and, most of the time, proportional to the size of the organization. Modification can mean: improving existing components, adding new components or even replacing some components. The integration of security products into the existing infrastructure is the most common measure that is recommended to be adopted.

A key principle of the GDPR is that of accountability, which can be synonymous with demonstrable compliance.

Accountability can be done by permanently informing the decision-makers in the organization, but also the staff about the measures to be followed and the steps to be followed.

An effectively structured breakdown of the GDPR should be communicated to both management and staff across the organization, through internal awareness campaigns that will help educate individuals and raise awareness of impending changes to the organization’s policies and procedures. The relevant information and compliance documents of the organization must be structured in a package to ensure the accessibility, maintenance and control of the compliance program as easily as possible.

The information may refer to:

• Policies, procedures and tools
• Security measures
• Data Processing Inventory
• Other stakeholders and contact information

The Data Protection Officer (DPO) is responsible for overseeing the data managed by the organization, its protection strategy, and the implementation of the necessary measures to ensure compliance with GDPR requirements. In three cases, the appointment of a DPO is mandatory, namely:

• If the data processing is carried out by a public authority (except courts)
• Whether the core activity of the private company is processing operations involving regular and systematic monitoring of data subjects on a large scale
• Whether the processing of sensitive data also involves the extensive processing of special categories of data or information relating to criminal convictions and/or criminal offences
• The DPO can be an individual or an organization.

IV. MAINTENANCE
Whatdoes a Company need to do to maintain compliance with the GDPR?

Periodic testing and evaluation of the effectiveness of data security measures both from a technical point of view and from the point of view of the work procedures implemented in the organization

In accordance with the principles of the GDPR, the organization should have the internal procedures and processes in place to notify a situation of risk to an individual’s rights and freedoms, within a maximum of 72 hours.

The incident action plan includes:

• Measures to mitigate the adverse effects of incidents
• Incident prevention measures
• Procedures for restoring data and access to it
• Procedures to ensure the resilience of processing systems and services
• Reporting procedures

Also, in order to have an effective plan, in some organizations it may be necessary to implement tools and means to ensure: the restoration of data and access to them, but also the resilience of processing systems and services.

The official guide on the European Commission’s website can be found here.

Main photo source: shutterstock.com – By LightField Studios