Starting May 25, 2018, all companies, irrespective of their field of activity, have to comply with the stricter rules on personal data processing introduced by General Data Protection Regulation No. 679/2016 (the GDPR) or face significantly larger fines. The gap between the current maximum fines, which cannot exceed EUR 22,000, and the fines under the GDPR, which can go as high as EUR 20,000,000 or 4% of the annual worldwide turnover, have drawn a significant amount of attention to the topic.
But, beyond the daunting fines, it is the organizational and technical impact that the compliance measures will have that is of particular concern for companies in Romania, as the GDPR introduces several concepts which currently do not exist under Romanian law, requiring all organizations to adapt their internal processes accordingly.
First, organizations need to reassess the legitimacy bases they rely on for their processing operations, as Romanian law currently qualifies consent as the main legitimacy basis, while other bases (such as contract execution, legal obligation, and legitimate interest) are deemed exceptions to the general consent rule. Under the GDPR, all bases are deemed equal, and hence organizations may rely on the most appropriate in light of the elements of their processing. Thus, with the introduction of stricter rules under the GDPR when the processing relies on consent, companies should reassess their legitimacy bases to avoid unnecessary impacts on their activities.
Moreover, organizations need to introduce a data protection impact assessment in their internal decision-making process for operations which may entail high risks to the rights and freedoms of natural persons. Data-intensive areas like banking, retail, online, and insurance are particularly affected by this requirement, but other industries are by no means exempted. This is especially the case since various initiatives in the employment field, such as complex employee evaluation processes or GPS monitoring, may also trigger the need to perform data protection impact assessments.
The entire procurement process needs to change as well in order to address the requirement to implement privacy by design and by default, as well as to demonstrate that any processors used in the processing operations have provided sufficient guarantees about their ability to address GDPR requirements. The new minimum content set by the GDPR for contracts with processors, including auditing rights, will also require significant effort for the short term, as companies look into initiating negotiations with their partners to adapt existing contractual arrangements.
Another challenge involves adapting the organizational structure to accommodate the data protection officer role – a concept that does not exist under current legislation. While the guidance already issued by the Article 29 Working Party on the topic provides useful information about how and when this role should be considered, companies still face the challenge of identifying the right persons for the role and of properly regulating their functions, especially where the role is considered for local groups of multiple companies. In this case, beyond the GDPR requirements, companies also need to look into employment, fiscal, and transfer pricing requirements to avoid implementing a structure which triggers risks under the relevant legislation.
Data breach notification requirements, currently not regulated except in the electronic communications sector, will also trigger the need to make adjustments at the organizational level, because the short deadline for the notification does not allow enough time for on-the-spot organization of an incident response.
Finally, the need to create and maintain records of all processing activities is a significant departure from the current requirement to notify the data protection authority in respect of the processing. The current notification obligation applies only in respect of processing operations triggering increased risks, while, under the GDPR, processing records will have to cover all operations for of each company. In creating such records, increased attention needs to be given to data flows within local groups, where the separation of processing operations per entity is sometimes elusive.
These are only a few of the challenges posed by the GDPR for companies operating in Romania. But companies assessing and dealing with them head-on now have a better chance of ensuring compliance with the GDPR from May 25, 2018.
By Roxana Ionescu, Partner, Nestor Nestor Diculescu Kingston Petersen