Does a natural person, having full rights to administer his data have, under GDPR, the ability to forward/share these rights to another company to allow for service performance?
Absolutely. In a perfect world, for example, when dealing with a customer service line, a customer should have the ability to modify his data. But he should have and has the option to give this right to a company’s employees. It can happen by clicking a button on an internet page that gives the permission for personal data processing. It can happen by generating a service ticket in the system. It all depends on what the infrastructure on the customer’s side looks like.
One of the elements of GDPR is a company’s obligation to disclose to the customer (in the form of a .pdf file, for example) the data that the company processes that are linked to this customer. What will happen if the company refuses to hand over this information to the customer?
The penalty for breaking the law will be specific to each case. An appropriate office will be analyzing the reasons why the company refused to hand over the information.
A natural person will have the ability to ask the company or the office to exchange the personal data among themselves. This, for example, can be handy, when asking for a loan. It drives the need to create a system for the exchange. Is there a need for inventing a special system for this, hiring a new employee, etc.?
The right to exchange personal data between organizations is a new definition under GDPR. I think that many people will have a hard time when talking about the right to forward the data to another organization on the one hand and the right to share them between two organizations on the other. The fact is, that the personal data administrator will have the right to refuse the execution of the forwarding process when the other organization does not have the capacity to take this data. Or in the situation when the organization will process the data by means other than listed in the contract or agreement.
I think that within the first year after GDPR implementation, or even further down the road, we will have to learn how to refuse data transfers because it can be overused. Sharing, access to data and transfer – these are all different conceptual sets.
Another element of GDPR is “the right to be forgotten”. It often happens that the time of performing services is long gone, but the personal data is still in play. Do companies have an obligation to delete the data in this case?
“The right to be forgotten” is in play when the administrator goes public with personal data. He does not have the responsibility to take care of the matter personally. He has the responsibility to inform a person that he forwarded to another person the demand to delete the data, information about the data and a copy of the data.
What GDPR does in this case, is that it produces a long list of exceptions. The exception we will probably use very often is what’s called the “data retention” or the responsibility to store the data long after the expiration of the contract itself. For example, in the case of an ongoing investigation or for protection from legal claims needs.
Organizations have to look through every document they have, including policies for privacy. This is the level of information about cookies – why we are implementing them and what we are doing with them. If cookies are used for profiling then it needs to be described according to the law about profiling. The agreement for cookies on the user’s side is not changing, though. The user is still expected to agree to cookies by clicking on the button (it applies especially to the so-called “scoring”).
What about existing customers? Does a company have a responsibility to present annexes for already existing contracts?
Organizations should look through their contracts, it can be the case. It will definitely be in the case of a “personal data processing agreement”, if they were made before April 27th, 2016 and article 28 of the GDPR was not considered in the content of the contract.
Is there a difference between internal and external preparations? Is an entrepreneur obliged to prove to the office that his company’s daily business is aligned with GDPR? If so, what form does this proof need to take?
No, the administrator does not need to produce evidence. The exception would be an inspection, a legal claim and a criminal proceeding.
GDPR introduces the option to obtain certification and something called “codes of conduct”. This is a form of telling everyone interested that the organization is administering the data in the right way and that they are safely stored.
Does the organization need to audit itself for the purposes of GDPR and data safety? Who will assure the owner that his company operates according to guidelines and within the lines of the law?
No, the certification and “codes of conduct” are not mandatory. The responsibility, however, rests entirely on the entrepreneur and in some cases on the processing entity.
What hoops does a company need to jump through in order to be aligned with GDPR? Internal documentation, project documentation, the product itself (meaning software), documentation sent to the appropriate office?
All of the above plus vendor relations, they need to be aligned as well. We also have to remember about future product development and information security.
Is there anything that needs to be ready when GDPR hits? Any documentation for offices?
Regulations themselves are the direct source. There could be also a bill specific to each country that can modify the local law. You have to watch closely both GDPR development and your possible local law, as well as information provided by the EU to align your operations with developing events.
How will GDPR compatibility look as time passes? Will there be room for periodic inspections?
There will now be external inspections. Good practices demand, though, that internal periodic inspections take place. It’s worth it to do them at least once a year, taking a close look at procedures, documents, security levels, etc.
The GDPR does not introduce a special form of documentation that the organization has to present to an office. If documentation is being made, it’s only for internal purposes, for security reasons and for data security, including assets and continuity of activity. We have to remember that there is no business without access to personal data, so we have to protect it.
What about a potential data leak or theft? To whom should the company go with this situation and how much time will it have to resolve the problem?
GDPR is rich with information about rules in these kinds of situations. In other, not including cases, a company has a 72h window to inform about a leak or a theft, counting from zero hour. Noteworthy though is that a company must also present a set of steps that it took in order to minimize the risk of further propagation of illegal activity and its consequences.
Firms also need procedures in case of data theft. What do we have in mind when using the term “procedures”? Is there anything besides taking the case to the appropriate office?
Organizations need plans for continuity of operations. It means that they have to know what exactly will happen if personal data is simply not there for them to use. These are procedures linked to relations with vendors, rules for hiring people, data sharing between systems, backups and a whole lot more.
Are there any data describing the costs for aligning the company to the guidelines of GDPR?
Costs will naturally vary but it’s good to think of them as an investment. Start with hiring an employee that under the new law will be recognized as the administrator of personal data. Other costs will include software that will allow firms to check where personal data resides in their organization and what’s happening to them… or expenditures on penetration tests.
What sanctions are foreseeable for not aligning your business to the new law?
Legal penalties can be specified by any country within the EU and their internal legislation. Look for the appropriate legislation in your country by visiting a local Law Journal. What can also take place are the aforementioned financial repercussions and remedial prerogatives.
Cyberlaw.pl is a company offering legal consultations in the pay-by-the-hour model (different packages available) or project-based (fixed price model). The expert team consists of attorneys-at-law, economists, analytics specialists, and IT security engineers. This variety benefits the customers.