Extra aspects

Legal base

The new REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Especially in recital 1 the new Regulation states that the protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the 'Charter') and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. The recital 6 states that rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of the protection of personal data. The scope of the new Regulation is not only entities under 250 employees but every organisation (public or private, municipalities, perfecture's, ministries) under 250 employees and every autonomous Public Unit under 250 employees.  

GDPR

The New General Regulation on the Protection of Personal Data (GDPR) which will take effect in May 2018 requiring entities that manage personal data shall take all appropriate security measures, create policies and procedures to appoint a Data Protection Officer (DPO), to create incident response plan, train their staff properly and to inform the competent authorities within 72 hours in case of data loss incidents. Non-compliance of the companies can bring fines of up to 4% of their annual turnover.

Assisting practitioners of personal data space to meet increased obligations and serious responsibility of the role of Data Protection Officer requires substantial training and education, both in terms of the General Regulations of Personal Data, and in particular privacy issues, such as training data Privacy Impact Assessment (DPIA) in case of introduction of new services or products that involve processing large-scale personal data or manage specific personal data, the establishment of a Programme / Framework data within the Enterprise / Company, the definition and Protection / Regulation Policy contact Privacy and Disclosure of the National Authority for Personal Data Protection and other relevant issues.

The Data Protection Officer, should serve as chief expert group (Task Force), which will include members of the IT, PR, Legal / Compliance and Information Security by creating a flexible team that will successfully meet all the challenges that arise during the implementation new strict legislative framework in the field of personal data, and has direct access to the management of the company or companies they represent. Otherwise there is a grave risk of predatory enforcement for Enterprise administrative fines, but beyond this, risk suspension of processing or transmission of certain personal data of the companies we practically can mean suspension of the business activity and the corresponding consequences.

The role of Data Protection Officer, as skilled, functionally independent, strain is not confined to compulsory, in New Rules, presence in a company within the meaning of the standard filling a job (tick box) as respectively the medic or Security technician .

The Data Protection Officer assumes substantially to represent the company to the authorities, national and European, to ensure harmonization of business in terms of political practices and processing methods, storage and transfer of personal data to the new strict legislative framework and protect the company from risks and enforcement of the major baritone administrative fines provided for in the rules which start from 10 million euros or 2% of the worldwide turnover if it is an international group and reach for infringement of basic provisions of the Regulation to 20,000,000 or 4% of global turnover.

GDPR and Materiallity

The new rules has impact to the operation of the company. The key role of DPO includes as a minimum:

• Provide guidelines to the Board of Directors as well as all members of staff
• Provide guidelines to joiners or new members of staff;
• Provide guidelines to contractors and third parties that are using company facilities and company information
• Liaise with HR in relation to the development of policies, procedures and practices and for particularly members of staff, interviewees and job applicants
• Liaise with the IT department in relation to the development of policies, procedures and practices for information security, data handling, outsourcing, BYOD and monitoring in the work place
• To liaise with sales and marketing to ensure compliance with applicable laws and regulations for marketing, advertising, profiling and publicity
• To implement policies and procedures to manage the outsourcing of data processing activities including the use of third party vendors for HR, IT and marketing and particularly where those third party vendors may be processing personal data of the company outside the European Economic Area and/or within the Cloud
  
• To maintain close relationships with the Chief Information Security Officer (CISO) in order to manage not only the contractual issues and compliance issues relating to the processing of personal data but also the information security policies and procedures relating to that processing and cyber security planning.
  

Finally the DPO prepares a summary report on behalf of the Board of Directors which describes as a minimum:

•  the material elements of the company in data protection area,
•  the basic guidelines of data protection with reference to protocols,
• the incidents/accidents of the last year,
• the cooperation with the authorities,
• measures strengthen the company's protection against malicious acts originating from both outside and inside,
• the training procedure in avoiding cyberattacks
• measures from penetrations tests and other formulas
• any claims for compensation for loss of personal data 
• any compensation paid for incomplete compliance measures 
• compensation paid last year for loss of personal data by court decision
• any other aspect which creates uncertainty to the companies operation

The above report is published together with the management report or is a part of it.