In light of the announced ending of the state of emergency in Serbia, businesses must check and ensure their compliance with data protection regulation which has been fully applicable, even in these exceptional times.
Ever since General Data Protection Regulation (GDPR) came into force on 25 May 2018, data protection landscape in Europe came into the new reality.
In EU countries, GDPR is directly applicable.
But, GDPR contains extraterritorial provisions based on which it also brings within its competence any company that offers goods or services to persons in the EU or monitors such persons’ behaviour. The latter is, in practice, usually done via online tools, when companies and other actors, through cookies on their web sites, want to track EU citizens' behaviour on the Internet.
So, because of these extraterritorial provisions, many non-EU entities, including a large number of Serbian businesses, are exposed to GDRP application.
Serbian businesses must, nevertheless, observe the new Serbian Data Protection Act (DPA), which became applicable on 21 August 2019, and that contains almost identical rules to GDPR.
Why are these new legal acts relevant for companies?
For various reasons, but the main one surely being the focus of new rules on business processes in which companies process any personal data.
So, previous rules are not too different in terms of general requirements.
But, the big difference lies in the brand new legislative focus which is now shifted from formal (legal documents) to factual (business processes) regulatory compliance requirements.
Therefore, this legislative change requires somewhat different methodology for achieving compliance and avoiding penalties.
And that leads us to the other important change embodied into fines for non-compliance.
Namely, for violation of GDPR, fines range up to EUR 20 M or up to 4% of the total worldwide annual turnover of the companies for preceding year, whichever in higher. In Serbia, misdemeanour fines are doubled, and now range up to RSD 2 M (approx. EUR 17,000) for a single misdemeanour.
In such context, companies that wish to avoid non-compliance risks can no longer rely on lawyers to draft a set of internal acts that will be adopted and put in the drawers.
For that reason, GDPR or DPA compliance is achieved through joint endeavour of business people and legal specialists.
How to comply?
Through process that, in our view, has five standard phases which all boil down to making sure that business activities within the company, which require the processing of personal data, are undertaken in compliance with relevant data protection principles.
So, the first goal is to seek and identify such activities, whereas drafting procedures and rulebooks comes last.
- Data mapping
For this reason, legal specialists have to get information about the relevant business practices from the people within the company who engage in them. This is done through data mapping analysis or data inventory practice. For this purpose, the best practices show that usage of appropriate questionnaires is most efficient. This step should also include identification of the existing internal documents that are relevant for data protection issues.
- Gap analysis
With the results from the above data inventory, legal specialist conducts gap analysis in order to identify the gaps in the current systems against the data protection requirements and define priorities.
- Implementation plan
The results of the gap analysis and understanding of the risk levels are the foundation for concrete implementation plan. Based on the implementation plan, that is tailor-made for each company i.e. each implementation project, realisation phase begins.
- Realization phase
Therefore, realization phase is highly individual and depends on each organization's size and overall data protection level. However, implementation usually includes all or some of the following:
- Determining the appropriate legal basis for data processing under the GDPR and/or DPA;
- Implementing of GDPR/DPA principles in all business process that include personal data;
- Implementing IT/Cybersecurity measures;
- Addressing international data transfers;
- Regulating relationship with data processors and joint controllers i.e. drafting and executing appropriate agreements;
- Assessing the need to conduct Data Protection Impact Assessment (DPIA);
- Assessing the need to appoint Data Protection Officer (DPO);
- Finalizing record of processing activities, based on data inventory.
- Drafting documents
Thank you for reading, and please be informed that this article attempts to convey our approach in handling data protection matters. Therefore, like all other materials on this and our web site, it has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. As a result, you should always consult your own legal advisors before engaging in any transaction.
By Miomir Stojkovic, Principal, Stojkovic Attorneys