In the Czech Republic, the most important buzzword in the field of legal services and IT deliveries is “GDPR-Compliance” and it has serious ramifications for organizations, businesses, and public corporations.
Not a single week passes without at least one professional conference focused on GDPR, either in general, or on its selected issues – in particular, the scope and nature of the requirements imposed on DPOs, data portability (both completely new concepts in the Czech Republic), and the handling of personal data of employees and other workers. These subjects seem to be rolling in from all directions. Unfortunately, the debates and presentations are often used to create business leads (driven mostly by fear of draconian fines, which, if actually imposed, may lead to the effective liquidation of sanctioned enterprises) rather than a conceptual discourse on how Czech organizations collecting, controlling, and processing personal data can improve the quality of their management and ensure greater security for themselves and their customers.
A fundamental issue that has emerged recently is the low probability that the Czech legislator (the Parliament, which will pass the ministerial draft prepared by the Ministry of Interior) will adopt the relevant amendment to the Personal Data Protection Act before late autumn or winter of this year. A culminating government crisis has paralyzed the work of the legislature, and it is unclear whether the necessary amended legislation will be prepared in time for Czech personal data controllers and processors to adequately prepare for its requirements. There is also a strong concern that the Czech lawmakers will continue their tradition of extensive gold-plating and will make the national norms even stricter than the GDPR and the Article 29 Working Party’s guidelines.
It should be noted that although the current Czech Data Protection Act is well-adapted to EU’s Data Protection Directive (1995), its low practical enforceability together with an understaffed control body (the Czech Data Protection Office or UOOU) has resulted in relaxed – and often negligent – oversight of personal data treatment. Therefore, although the GDPR buzzes around in the Czech media almost every week, many organizations have not yet begun making the necessary preparations and are only now about to explore what the new legislation means for them. Regrettably, some of them may find out that diligent preparation cannot be achieved even in the remaining 12 months before the GDPR comes into force.
A second problem is the fundamental misunderstanding of the GDPR’s requirements on the addressees’ side. It is not only in the Czech Republic that the professional public falsely believes that the GDPR is solely the problem of the ICT or legal/compliance department. Only a few actually understand that GDPR is a multidisciplinary problem that Czech organizations will have to address by adopting comprehensive compliance programs, including legal, procedural, and organizational as well as technical approaches. Therefore, changing this biased perception must often be the first step in the compliance project.
A third problem is the inability of organizations to identify what personal data they process, in what amount, and how and for what legal purpose. The Czech economy is characterized by a high proportion of industrial production and services in which personal and other data is merely collected, processed, and stored in one of many enterprise systems without it always being clear if the organization will ever use it. When attempting to perform a basic impact/GAP analysis of the effect of the GDPR on the organization, it often turns out that even the responsible managers do not really know how much data they have, when and where it is processed, and how it is utilized after being processed. Many organizations are, therefore, currently performing more or less complex analyzes of personal data flows within them, the outputs of which often depend mainly on whether the organization was actually able to identify all repositories where the personal data may be located.
Law professionals providing GDPR consultancy and compliance services in the Czech Republic thus often become involuntary business analysts, who need to help the client analyze information systems, processes, and data storage before assessing the legal implications of GDPR in the organization.
By Jindrich Kalisek, Head of IP/IT/Data Protection, PRK Partners
This Article was originally published in Issue 4.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
