Record fines for careless data controllers from 2018. Negligent and careless companies might face with exemplary fines and sanctions – turned out from the latest Mazars analysis. The leading international audit and advisory firm advises to all Company and public organisation to start preparing for the regulation in time.
20 million EUR fine can be imposed for those who violate the new EU data protection regulation
● In one year, the new EU data protection regulation will be applied in Romania as well.
● Organisations should appoint data protection officers, develop and implement policies concerning personal data handling, and personal data breaches have to be reported to local supervisory authority within 72 hours.
● Personal data could be an e-mail address, IP address, or even a GPS coordinate.
After long years of negotiations and wording, on 27th of April 2016, the European Parliament and the Council has issued the 2016/679 regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
„Due to the serious data breaches happened in the past period, and the technological changes occurred, the leaders of the European Union considered to implement and demonstrate the most rigorous data protection regulation in the world, in order to enforce corporations inside and outside the Union to raise data protection concerns on a higher level” – said Răzvan Butucaru – Partner.
The regulation so called GDPR (General data Protection Regulation) will enter into application at the 25th of May, 2018. Until that moment, all of the organizations located in the European Union, or providing services to EU citizens have to comply with it. The regulation will automatically enter into application in Romania as well, replacing the current local data protection regulation of law 677/2001 for the protection of persons concerning the processing of personal data and free circulation of such data.
What is the value of personal data?
The new regulation contains several new expectations. The most important is that the range of personal data is way wider than before. Every data that is directly linked or which can be linked indirectly to a natural person, including its private, professional, or social activity, is considered to be personal data. Therefore a name, birth date, healthcare information, account number, income, geographic data (such as GPS coordinate), e-mail address, telephone number (private and corporate), mailing address, IP address, or even a link points to a social media profile is personal data itself.
It is clearly an important progress: if there is a suspicion that a company handles personal data on an inappropriate way, the burden of proof became the duty of the data controller, instead of the individual who the data concerns to. So from this point, the data controller has to demonstrate that the expected activities were put in place in order to protect the data of the individual.
For those institutes handling and processing personal data on a large scale and in automated manner, (such as banking, insurance, healthcare or IT service providers) should not advert to the technical difficulties of the data protection anymore. Those organisations (and those who handle especially sensitive data such as political views, sexual orientation, trade union membership details etc.) will have to appoint data protection officers with appropriate skills, who will be personally responsible for implementing and maintaining the data protection and compliance framework on a risk based approach.
Other new expectation, that GDPR makes mandatory to report all significant incidents resulting personal data breach to local supervisory authority within 72 hours.
„Incident can be an external hacker attack for example, or such trivial cases when somebody lost a laptop containing client’s personal data, or when a former co-worker shares the company’s contact list with a marketing agency. In the future, no such cases should ever happen when millions of passwords are stolen from an international e-mail service provider, and they inform the public years after the case.”- Georgel Gheorghe – Mazars IT Audit Manager
The „Right to be forgotten” has also become a current topic in the recent years. Despite the omnipotence of the digital word, everyone will have the right to ask for the deletion of her/his personal data whether is it unpleasant or just not relevant anymore. However the deletion is technically not easily feasible in case of every situation, therefore those companies, where this might be an actual demand, special policies and practices has to be designed.
It is clearly seen that data privacy will became an issue in focus, as those provisions above are not directives but mandatory regulations. Non-compliance might costs the firms a lot, as sanction can reach 20 million Euros, or the 4% of the last year global revenue – the higher amount from those.
For instance: When a healthcare insurance company rejects its’ data storage in a way when previous sanitary services can be retrievable and linked to specified individuals, the company will face a serious fine from the supervisory authority.
For comparison, in 2016 the National Supervisory Authority for Personal Data Processing issued fines for non-compliance with the provision of law 677/2001 in amount of 70,000 Euros. The companies sanctioned are in general banks, credit institutions and telecommunication operators.