Cover Story
Cover Story
Winter 2018 / Issue 56
EU ’ s General Data Protection Regulation – Game Changer in the Digital Revolution
In today ’ s digital business world , mastering privacy and data protection has become an imperative . The adequate protection of personal data is in high demand by both customers and regulators .
The increased deployment of privacy-invasive technologies , such as Big Data , mobile apps and customer profiling , has been accompanied by a growth in privacy-related incidents and scandals . By not adequately protecting personal data , organizations risk losing the trust of their clients and employees . Furthermore , the oversight and enforcement actions on data protection have been intensified by regulators worldwide , which has led to the development of new rules and regulations .
The General Data Protection Regulation ( GDPR ) is the European Union ’ s view on what are the baseline expectations for processing personal information of EU citizens as we continue through the digital revolution . It is a fundamental game changer with a broader geographic reach and it introduces reporting standards , controls , and fines of up to 4 percent of the global turnover of a company .
Srdjan Randjelovic Partner Audit & Advisory KPMG in Macedonia
The GDPR was ratified after four years of negotiations between European legislators and resulted in a single set of privacy rules across the EU Member States . This harmonization goes even further as the GDPR has cross-territorial implications . All of the affected organizations need to be prepared for it by 25 May 2018 when the GDPR will enter into force in the EU .
On the backdrop of these developments , Macedonian data protection legislation changes are imminent . Currently it is expected that the new Law on Personal Data Protection ( LPDP ), which should be in line with the GDPR , will be adopted in the first half of 2018 .
What are the main new requirements of the GDPR ? The GDPR introduces a number of new legislative requirements . Some of the most important ones are : Privacy by Design and Default : Privacy by Design is an approach to systems engineering which takes privacy into account throughout the whole engineering process . Privacy by Default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service . Privacy Impact Assessment ( PIA ): PIA is a systematic process to assess privacy risks to individuals in the collection , use , and disclosure of their personal data . Mandatory Data Privacy Officer ( DPO ): A DPO is a person who provides the primary contact point for data protection issues within an organization . Under the GDPR , the appointment of a DPO is mandatory in a number of situations . Data Breach Notification obligation : The GDPR introduces the obligation for data breach notifications no later than 72 hours after having become aware of it . Accountability : Requirement for the organization to demonstrate that a data protection program has been implemented and is run in compliance with the law . This requirement is extended not only to data controllers ( entities that determine the purposes , conditions , and means of personal data processing ), but also includes data processors ( entities that process personal data on behalf of the controller ) and their sub-contractors . Increased Data Subject rights : Access and rectification , data portability , erasure , right to be forgotten , restriction of processing , objection to processing , and the right not to be subject to a decision based solely on automated processing .
16 AmCham Macedonia Magazine