Almost five years after the European Commission submitted its first proposal on the reformation of the data protection landscape, a new General Data Protection Regulation (GDPR) has finally been adopted, designed to harmonize data protection across EU Member States. The GDPR will be directly applicable in all Member States as of May 25, 2018, placing, in the interim, all interested businesses in a race against time to observe all the compliance obligations it imposes.
Starting from its scope, the GDPR expands the territorial reach of the current Data Protection Directive 95/46/EC, bringing together EU and non-EU established data controllers and processors. Although the conditions of EU establishment initially created confusion as to whether it would require the setup of a legal entity or a mere operational presence in any Member State, it appears that the presence of a representative alone suffices. In addition, data controllers and processors outside the EU fall within the territorial scope of the GDPR as long as they target data subjects within the EU through the offering of goods or services or monitor their behavior through online tracking methods.
A newly added and somewhat confusing provision relates to the appointment of a Data Protection Officer (DPO). Although the initial GDPR approach required a DPO appointment only for companies exceeding 250 employees, the final text requires that all companies are required to appoint a DPO if data processing is conducted by a public authority or involves the regular and systematic monitoring of data subjects on a large scale as part of the company’s main business activities or concerns the processing on a large scale of special categories of data. The GDPR allows any employee of the data controller or the processor to serve as a DPO and allows companies to outsource such services to a third-party consulting firm.
The GDPR inserts a brand new breach-notification procedure, requesting data controllers to notify within 72 hours of awareness the competent supervisory authority – the DPA in Greece – of any breach identified. The GDPR exempts situations where the breach identified is not likely to result in a risk for the rights and freedoms of the data subjects. However, companies appear to be baffled as to the exact steps they need to follow in case of breaches falling within this GDPR provision, with many of them complaining that the new framework forces them to re-examine their internal processes and be equipped with costly advanced-technology administration systems that will comply with the newly introduced breach notification standards.
As the first part of the GDPR’s two-year lead-in period has come to an end, the remaining 16 months – until its direct implementation – appear to be rather pressing for Greek businesses that need to get their compliance checklists ready as soon as possible and devise an efficient plan for their next steps towards full regulatory compliance in a timely manner. However, recent statistics reveal that more than 50% of Greek companies have yet to commence any procedure related to the new GDPR, while a significant part of the Greek market lacks basic factors and elements, such as management and organizational infrastructure, that would enable them to comply with at least the minimum requirements of the new legislation.
Instead of getting themselves lost in the maze of endless information that needs to be administered and processed, Greek businesses should first acquaint themselves with the new framework and conduct an information audit on their records, data archives, and data storage systems, in order to track the kinds of personal data they possess, their origin and destination, and the identity of the data subjects. As soon as this process is completed, it will be easier for them to reconsider and reform their internal procedures and mechanisms to accommodate the demands of the GDPR.
In general terms and despite any – for the time being – uncharted waters, the GDPR comes as a comprehensive legislative text that aims at defining a secure and harmonized framework of data protection and imposes significant fines and penalties – at times reaching as much as 20% of the breaching company’s annual turnover – in order to ensure a smooth implementation.
By Panagiotis Drakopoulos, Senior Partner, and Mariliza Kyparissi, Senior Associate, Drakopoulos Law Firm
This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.