The European Union’s General Data Protection Regulation is set to go into effect on May 25th. All companies that process personal data regardless of their size and profile are subject to new regulations. So, it is not a surprise to say that this matter focuses on all companies as personal data subject to protection include electronic mail, servers, mobile devices and even USB drives. What is it that is considered personal data? Name, address, payment information, IP address, login, password, username, email address, geolocation, cookie, device and application ID, RFID tags.
GDPR orders companies to prepare not only the utility system itself but also the entire IT infrastructure. There is not much time left to introduce changes, and the lack of their implementation will result in large financial penalties.
Software companies are under an obligation to apply the best security measures to their knowledge and technology like those leading to encryption or pseudonymization. The most important areas of personal data storage are log storage, data encryption, and backups. Article 32 of the Regulation underlines the importance of securing data processed in IT systems.
It also states that administrators and processing identities shall put appropriate technical and organizational measures in place. In this process, the administrator and the processor should take into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violation of these rights or freedoms of individuals with a different probability of occurrence and the severity of the threat. At the same time, the article provides examples of possible solutions that can be used:
- pseudonymization (processing of personal data so that it can no longer be assigned to the specific data subject without the use of additional information, provided that such additional information is kept separately and is covered by technical and organizational measures that prevent them from being assigned an identified or a possible to identify natural person) and encrypting personal data;
- the ability to continually ensure the confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident;
- regular testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
In the above-mentioned provision of the Regulation, it can be seen that the legislator does not indicate any specific security measures in order to fulfill the obligation to secure personal data. Therefore, companies can breathe a sigh of relief. GDPR will not strictly regulate organizational or technological data security guidelines. Businesses have a little edge to decide for themselves and assess the level of security. The mentioned methods ought to provide the right level of protection, but it’s just a drop in the ocean looking at today’s security requirements.
Without artificial intelligence and the latest generation of solutions, it will not be easy to cope with numerous hacker or cyber attacks.
The protection of personal data and GDPR should result in the administrator (the person processing) acting in accordance with the law. An IT specialist should not be the only person responsible for protecting and implementing data in the entire company. This process requires the cooperation of several departments. There is a need for the involvement of teams responsible for the organization of work, physical protection, and legal services that will work together to prepare for the changes to come. In the future, any program that will be used to manage IT will have to meet the GDPR standards to be useful on the market. The software producer should ensure that the system gives the possibility of pseudonymization and data minimization, as well as adequate protection of the collected data. You should also pay attention to creating backups to create secure workstations and the Internet access itself has been sealed.
GDPR and user data
Knowledge is key. The user needs to know for what purpose the data is collected and by whom, as well as who will have access to it. A person should know how to protect private data and get information on how long it will be stored. In regard to employment, at present, the employer has the right to expect candidates for an employee to give their first and last name, their current employment, their parents’ names, date of birth, education or address. After the new regulations enter into force, the employer will not be able to process data that is not related to the employment relationship. He will be able to process this data only after obtaining the employee’s consent in written or electronic form. There will also be a ban on the processing of information on the health of the employee, a candidate applying for a job, including sexual orientation, addictions, and political views. Instead of your address, you will only be able to provide your correspondence address, e-mail address or telephone number.
How about monitoring your employees?
The GDPR is expected to change over 130 laws, and most importantly, Labor Code. Every employer will have the opportunity to monitor the work performed by employees including e-mails sent and received. This will also affect mobile phones. The monitoring will include checking the frequency of using the Internet, social networking sites or recording employee conversations. However, in the latter case, the employee would have to inform the callers about such a possibility.
Monitoring should cover only and exclusively ensuring the safety of employees, property protection or confidentiality of information, the disclosure of information which could expose an employer to detriment. The condition will be to inform the employee about such supervision about two weeks prior to its start and to put targets, scope, and methods of control in the system. If the employer encounters a private employee’s correspondence during the monitoring, he will not be allowed to read it.
It will be unacceptable to use image recording devices as a means of controlling employees’ work and to monitor rooms not intended to carry out work. For example, sanitary facilities, cloakrooms, canteens or smoking rooms.
Penalties for neglecting the procedures contained in GDPR
With GDPR entering into force, businesses should expect increased inspections from the supervisory authority inspectors. They will be responsible for verifying to what extent the company has implemented new regulations. There are high fines for violating them. The previous Act of 29th August 1997 on the protection of personal data provided for two types of sanctions for violation of the provisions of the Act: administrative sanctions and criminal penalties.
According to the Regulation, the situation will look different. Legal remedies of an administrative nature and high administrative fines will apply. The user whose personal data has been violated has the right to submit a complaint and individual compensation for material and intangible damage. In the event of violation of the GDPR, the supervisory authority is entitled to issue to companies, among others: warnings, reminders, prohibition of data processing, order to notify the subject, breach of data protection or suspension of data flow.
Such corrective measures may be imposed on businesses next to or instead of other sanctions, including administrative fines. Depending on the category of violation, the supervisory authority may impose a fine of up to 10,000,000 or EUR 20,000,000. In the case of a company, up to 2% or 4% of its total annual turnover from the previous financial year. Mind the fact that the imposition of the administrative fine will not release a company from civil liability towards data subjects and, in the most difficult cases, it will be supplemented with criminal liability.
GDPR is not going against companies. This reform has the citizens well-being at heart. It seems reasonable to start taking appropriate measures to avoid high penalties and damages caused by inspections.
If your company handles customer information via help desk software, make sure to contact OPGK Software to receive information on amendments available via the most recent OTRS add-on that follows GDPR. Apart from the possibility of purchasing the plugin, we also offer OTRS implelentation and customization services.