You must have already seen or heard these four letters somewhere sometime recently. Or maybe you have heard the words “new law on protection of personal data”, which is not a completely apt term but it does the job in describing the situation which is to come in May 2018. Maybe you have tried searching for answers to your questions related to this on the internet and you have probably seen a number of articles, ranging from distressing ones, ones talking about a revolution in personal data protection, to ones that want to sell you some magical software which apparently can do absolutely all the work around GDPR for you. If you manage to get through all this, you will also find articles that can offer you some useful information. But it can also happen that you get lost in the amount of information.

So how to find your way and filter the amount of information that will keep coming and coming with the approaching date when the GDPR comes into force?

Let’s look at it together in this article and explain a little bit about the GDPR: 

GDPR stands for General Data Protection Regulation and it is a new legal provision regulating protection of natural persons with regard to the processing of personal data. The transitional period for meeting its requirements ends on May 25^th, 2018. This EU Regulation provides new obligations for all subjects processing personal data and it also provides the mechanism for the implementation; also the possibility of imposing big sanctions. The Regulation provides approach to personal data processing based on accountability. In practice that means the obligation to always be able to prove accordance with the new legal provisions. The rights of natural persons whose personal data is processed are expanding (for example, rules for agreement about personal data processing are specified, a new right to data portability is implemented). This obviously brings more obligations to subjects that process personal data.

However, the general principles of personal data protection remain unchanged. For those who already process personal data in accordance with Act 101/2000 Sb., on the protection of personal data, the GDPR will not be so much work and worry as it might seem. To find answers to your GDPR related questions it is good to first analyse the current state of things; define which processed data is considered personal and define their scale and category. Furthermore, it is necessary to determine what risks can the processing of such data include. Such an analysis can help you avoid implementing regulations which do not concern you and your company, and at the same time determine any new obligations (e.g. Naming the data protection officer, files on processing activities etc.) This way you can be ahead for the implementation of the GDPR if you analyse the current state of things and their accordance with the new regulations.

The much discussed penalties, which can rise to big heights if the regulation is violated to a great extent, should be not only discouraging but also effective and proportionate. Since there are several more corrective measures, such as notifications, warnings, and orders to take action etc., not every violation of the general regulation must lead to a penalty. Only practice will show how strict the newly created supervisory authorities, which shall substitute the Office for Personal Data Protection, will be.

We recommend that you give extra attention to the changes relating to personal data protection. This way you will be able to limit the risk of complaints from your consumers, your competition, or discontented employees.

We recommend you start the analysis of personal data processing in your firm as soon as possible and adjust the internal processes accordingly in all areas concerned with the processing of personal data, and adjust the personal data databases, as well. And, if need be, change the consent to personal data processing forms and agreements.

Last piece of information at the end?
This does not end with May 25^th, 2018. Being in accordance with the GDPR is going to be a process which will require correct assessment of potential risks and of one’s priorities.