GDPR related challenges and opportunities related

The EU’s General Data Protection Regulation (GDPR) entered into force as of 24 March 2016, and after two years of preparations it is directly applicable as of 25 May 2018 without any further member state action. The main reasons for adopting the GDPR is harmonising the rules of Directive 95/46/EC among the member states, modernising the rules and facilitating a more efficient protection of personal data. Also, the GDPR considers and facilitates digital trends and the internal market development of digital economy, and aims to reduce the administrative burden of law enforcement bodies.

Today, data is the greatest asset of a company processing personal data. A significant part of the data of a company processing data is personal, which is not only owned by the organisation handling it, but also by the individual concerned.

However, setting up the appropriate data security practices and data protection procedures, as well as compliance with the effective regulations at all times is the obligation of the entity processing the personal data.
Data protection requires consciousness from all parties, and the rules must be observed in the course of processing all client, employee or other third party (e.g. vendor, non-client beneficiary of a client contract) related personal data, product development, technology process, reporting etc. To this end it is not enough to introduce rules, technology controls, logging and tests, corporate culture itself should facilitate the development and use of conscious data processing practice.

n our experience, implementation of the above, and compliance with the GDPR is only possible if the entity processing personal data has a coordinated data security and data protection strategy, allowing adoption of regulatory changes in its activities. Meeting the GDPR requirements is not merely a question of legal compliance and may not be limited to the modification of policies and statements, but requires a strategy harmonised on company level.

Below you will find a summary of some significant changes related to GDPR.

Accountability as the “super principle”

Retaining the well known principles of data processing, GDPR introduces a new one, which is treated as the “super principle” of accountability. Under the principle of accountability, the controller is responsible for ensuring the fundamental rights of data subjects to the protection of their personal data by developing the appropriate rules, processes and mechanisms, and they must be able to demonstrate such compliance to the authorities at any time. Therefore, the new regulation requires increased consciousness from controllers, which imposes significant extra burden on them compared to the currently effective regulations.
Elszámoltathatóság
Records of processing activities

GDPR no longer requires that data processing should be reported to the data protection authority, but it stipulates that controllers and processors shall keep up-to-date records of all data processing. To this end, companies must be aware of their data processing activities and prove compliance with GDPR upon the request of the authority in line with the principle of accountability. This requires a regularly updated data asset inventory, the thorough understanding of such inventory, recording who are processing what type of data and where, including data relationships and data cancel mechanisms.
Adatkezelési tevékenységek
Data portability

Data portability is introduced by the GDPR as a new capability, further strengthening the individual’s right of disposal over their personal data. Accordingly, the individual is entitled to obtain his personal data from a controller – if the legal basis for processing is the individual’s consent, or the data were transferred under a contract – and to use or transfer them to another controller (even a competitor of the first controller) at its own discretion. The above right imposes a burden on controllers as in case of automated data processing, they are obliged to deliver the personal data upon the individual’s request in a widely used, machine readable, interoperable format, i.e. they must have the technical equipment required for this.
Adathordozhatóság
Right-to-be-forgotten

Another novelty of GDPR is the introduction of the “right-to-be-forgotten” in law. Please note that is has always been possible to request that the controller shall delete and make unsearchable some personal data. However, controllers often rejected to do this (e.g. citing public interest), and deleted content was still available after cancellation. Under the right-to-be-forgotten, GDPR introduces a new obligation stating that if a controller has published personal data, then upon request they are obliged to delete such data in a way that they also make all reasonable efforts to cancel and make such data inaccessible through other controllers too (including duplicates of the data and links to them).
Elfeledtetéshez való jog
Built-in data protection

Under the principle of built-in data protection, for the purpose of setting the technical and organisational conditions for data processing, the controller shall at all times consider the current status of science and technology, the costs of implementation, the nature, scope, circumstances and aim of data processing, and shall also take into account risks related to the personal data, identify and assess such risks and take all the measures necessary to minimise them.
In principle this means to companies that GDPR requirements must be taken into account as early as developing products and services involving personal data handling, i.e. in the development cycle, especially rules pertaining to pseudonymisation, data minimisation, transparency and control. Please note that built-in data protection applies to the full data processing cycle, i.e. to IT development, such as patches and updates.

Beépített adatvédelem