The GDPR provisions, the General Data Protection Regulation regarding the personal data of the EU internet users came into effect on 25 May 2018. The main changes have to do with the access to and transfer of personal data, which will be more transparent, if the users so require. We have approached in detail what these provisions involve in the previously published article here and here.
As the exhaustive implementation of the new norms requires a complex system of unifying the internal applications and a well-defined strategy, many companies, both in Romania and in other countries, are still conducting GDPR campaigns. As all of us have probably noticed, the first step has been that all the institutions and companies have informed their clients in respect of the GDPR compliance, making the necessary changes to the legal documents, such as the confidentiality policy. The National Authority for the Supervision of Personal Data Processing (ANSPDCP) is in charge of the implementation of the new provisions. Its site, available at dataprotection.ro, includes a lot of information and normative acts regarding GDPR.
Apart from that, following are a few efficient strategies that a lot of enterprises have already applied, both in Romania and in the EU member countries or in the USA.
1. Resorting to a Specialized Legal Organization
Although the provisions of GDPR are effective and applicable to all companies, it is possible that a certain company should be subject to stricter rules or to a set of supplementary rules, according to the number of personal data processed or to the business profile. For this very reason, it is of essence that such companies should resort to a specialized firm and, in most cases, appoint an internal expert to supervise these processes. Currently, many companies in Romania have recruited or started to recruit for a position recently created on the employers market, namely Data Protection Officer.
2. Transparent Communication with the Employees
It is not only the legal or the marketing department that must be up to date with all the provisions of GDPR, but, in principle, all the other departments, in order to ensure a good operation of an inter-functional and agile team. In order for the employees to clearly understand the implications of these new regulations, it is recommended that these provisions should be made known and also that the information should be verified through inter-active activities or tests. As this European Directive introduces many new regulations, each company should establish a system under which the employees constantly revise the information acquired.
3. Correct Organization of Data
According to the new provisions, certain personal data (for instance information regarding religious faith, sexual orientation or biometric information) have a special classification and require a matching processing phase. Therefore, it is important that each company should organize the data of their users according to the purpose and sensitivity of such data. If the business specializes in data processing, then it would be advisable to appoint officers to separately supervise the existent data. Although this might seem a discouraging practice, as it requires a long time, in the long run this approach will allow a greater flexibility in processing and accessing data.
The second part of the article is available here.