The arrival of the new Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46/EC (hereinafter known as the “GDPR”), means the protection of personal data in the European Union takes on a new dimension.
From 25 May 2018, this Regulation will be directly effective in all EU countries, after the expiry of the two-year implementation period. It is not just about introducing new legislation, but about a completely new European concept in the perception of personal data protection of natural persons. The Regulation envisages that the right form of personal data protection is to be drawn primarily from the point of view of the data subject, and not from the point of protecting an enterprise, which can have a major impact on businesses. At the same time, the range of enterprises covered by the Regulation is also expanding, and the decisive criterion is no longer the place of the seat of the processing organization, but the origin of personal data. The new territorial scope also includes those processing organizations which are not established in the Union, but whose activity is related to goods or services offered to data subjects in the Union or to the monitoring of the conduct of data subjects, as regards to the conduct on the territory of the Union, or as it results from international law.
The Regulation also seeks to ensure consistency in order to provide consistency and transparency for all economic entities, including micro, small and medium-sized enterprises. This is why the Regulation contains very few exceptions. One example is micro, small and medium-sized enterprises that do not need to maintain records of processing activities within the meaning of the requirements of Article 30 par. 1 and 2, provided that they employ less than 250 persons and that processing is unlikely to result in a risk to the rights and freedoms of the person concerned, and where such processing is occasional or does not involve specific categories of personal data. Due to the very limiting definition, it is likely that they will be very small enterprises, which almost never process personal data and which is quite difficult to imagine nowadays.
The next step in supporting smaller entities that can easily find themselves in a difficult situation due to the effectiveness of GDPR, is to call upon associations and other bodies representing controllers or processors, to draw up codes of conduct with the support of supervisory authorities, the Member States, the Committee and the European Commission. The purpose of such codes is to facilitate the application of the Regulation, taking into account the specific features of processing in certain sectors and the specific needs of micro, small and medium-sized enterprises. For example, it could concern small tradesmen with few employees, for whom the introduction of the Regulation is likely to be a burdensome bureaucracy.
At the same time, the specific needs of micro, small and medium-sized enterprises should also be taken into account when introducing certification mechanisms for the protection of personal data, seals and marks introduced to demonstrate compliance with the Regulation. Unfortunately, to date, the Slovak Personal Data Protection Office can only refer to ongoing negotiations at European level which should set the right direction for all supervisory authorities while maintaining the necessary consistency.
Last but not least, it must be emphasized that the main difference in the processing of personal data in micro, small or medium-sized enterprises vis-à-vis large and multinational corporations will probably be an exemption from the obligation to carry out a “Data Protection Impact Assessment “which seemingly will mainly relate to larger entities or entities aiming at the economic use of personal data of natural persons. Such processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular, those using new technologies and with regard to the nature, scope, context and purpose of processing.
In some cases, the Regulation directly declares the obligation to carry out such an assessment, using automated processing, profiling, processing a large scale of special categories of data or data relating to criminal convictions and offenses, or a systematic monitoring of a publicly accessible area on a large scale. The Regulation has also mandated supervisory authorities to draw up and publish a list of those processing operations that will be always subject to the impact assessment requirement. But we will still have to wait for this list. However, it should be noted that the impact assessment does not only concern large enterprises but also micro, small or medium-sized enterprises which may qualify for impact assessment, if they use one of the above-mentioned data processing methods.
In line with the above, it is imperative for every enterprise regardless of its size, to begin preparing for GDPR now. This is a long-term process, and even the authors of the Regulation themselves do not yet seem to have a complete picture of the consequences of new concepts and the associated costs of running businesses. In any case, it is good to know now which obligations will concern your business and start timely planning for individual steps because the maximum fine for violation of GDPR obligations is Euro 20 million or 4% of the worldwide turnover for the previous financial year.