As is already well-known, Regulation 2016/679 of the European Parliament and the Council of April 27 2016 on the protection of individuals with regard to the processing and free movement of personal data and the repeal of Directive 95/46/WE will come into force on May 25 2018. By then, all organizations must adapt their processing of personal data to these requirements. Failure to comply with these guidelines will result in significant financial penalties.
Given the scale and magnitude of the changes ahead of us, it is worth taking time to reflect on this topic. At Comarch, we are aware of the work that is required, and thus we are working intensely to comply with EU requirements. In this article, I pay close attention to the issue of the obligation to inform the relevant Inspector General for Personal Data Protection (in Poland, this is Generalny Inspektor Ochrony Danych Osobowych – GIODO) of any breach of personal data protection.
Under current laws, a data controller is not obliged to inform GIODO of any incidents concerning personal data protection. This does not include telecommunications companies, whose duties in this respect are stipulated in the act on telecommunication law. The new RODO provisions that will come into force in 2018 will change these obligations. From that date, a personal data controller will be obliged to report every breach of personal data protection to a supervisory authority such as GIODO within 72 hours of becoming aware of such a breach. This does not include situations in which a breach of personal data security will be of low risk to the rights and freedoms of individuals. Such breach of rights and freedoms of individuals means, inter alia, physical injury and damage, both material and non-material. This provision could be interpreted as individuals losing control of their own data, which may result in identity theft or loss or violation of reputation. It may also mean discrimination of any kind, violation of confidentiality of personal data covered by professional confidentiality, or any other economic loss or social harm caused by these breaches.
Evaluating whether a breach is low risk or whether it should be reported to GIODO will be a new and substantial responsibility for data controllers. The penalty for failing to report a breach may be as high as €10m or up to 2% of the enterprise’s total annual worldwide turnover from the previous financial year. If the breach is reported to GIODO more than 72 hours after being identified, the data controller will be obliged to provide grounds for the delay.
Each report has to contain several pieces of information about the breach, which are:
- A description of the nature of breach of personal data protection
- The category of breach and estimated number of individuals affected
- The circumstances under which the breach occurred
- An indication of the type of data to which the breach relates (first name, second name, address, etc.)
- A description of the potential consequences resulting from the breach
- Details of the data protection officer, and an indication of whether this person was appointed by the data controller or reference to another person who is able to provide further information
- An indication of measures taken or suggested to be taken by the data controller in order to avoid breach of personal data protection
- In other cases, measures taken to minimize the possible adverse impact of the breach should be indicated
The form in which breaches will be required to be reported to GIODO is not yet clear. Nevertheless, the data controller’s obligation seems to be one of the largest changes resulting from the RODO Regulation. This obligation could be interpreted by entrepreneurs as a form of reporting on themselves, but the Regulation coming into force in May 2018 leaves no other choice. This arises from the necessity to protect individuals whose personal data is being processed by these enterprises. The new regulations will apply uniformly in all EU member states. This should facilitate the application of the law by all business entities operating on international markets.
Adapting to the new requirements will surely consume a lot of time, and will place a heavy burden on the workload and finances of all enterprises, large or small and operating locally or internationally, that process personal data. The European Union set an initial deadline of two years for enterprises to take all necessary measures to bring their operations in line with the new legal regulations. As of today, we have less than nine months to become compliant with EU law. There is not much time left, so companies that have not yet started this process should expect considerable complications and problems by May 2018.