GDPR – General Data Protection Regulation
25/05/2018
New European Regulation GDPR 2016/679
A few words about the regulation
The GDPR was voted by the European Parliament on 16 April 2016.
From May 25, 2018, it will be implemented as a law of direct application by all the member states of the European Union. Since then, the previous regulatory framework for the protection of personal data has been abolished and many aspects have been amended.
The Regulation is of general application, binding in all its elements and directly applicable in all the Member States of the European Union. To a large extent, it concerns the security procedures and the risk management of a company-organization.
It is understandable that it was created to allow citizens to have more control over their personal data and to encourage businesses – organizations to move towards the strong protection of personal data they hold.
To see GDPR Rules click here
The Regulation regulates the rights of individuals
The new European Regulation GDPR 679/2016 replaces Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The Regulation regulates the rights of individuals to:
- their personal data,
- the processing of their personal data,
- the free and unhindered movement and transfer of their personal data within the borders of the European Union,
- procedures for the transfer of personal data outside the European Union.
Other critical points that affect the firm’s reputation and liquidity include:
- the obligation to inform the Authorities and customers within a certain period of time,
- the publication of personal data leakages,
- damages to the Data subjects that have suffered damage.
The concept of personal data
Personal data is any information related to an individual or a data subject that can be used for his or her direct or indirect identification. Personal data is the name, photo, email address, bank account details, social networking posts, medical information, or computer IP address.
Key steps you can take to align with the GDRP
- Identify where your personal data is in your business or organization.
- Create policies that clearly describe how and why your business collects and processes personal data.
- Set up a risk management program to protect your data.
- Compliance with the standards of the Regulation on transparency, accountability and record keeping. Performing data requests and maintaining the required documentation.
The requirements of the Regulation
The range of requirements for businesses and organizations that collect or process personal data is broad, with the six basic principles presented below:
- Transparency, objectivity and legitimacy in the handling and use of personal data.
- Restrict the processing of personal data for defined, explicit, and legitimate purposes.
- Collect and store the minimum volume of personal data required for a purpose.
- Ensure the accuracy of data, including the possibility of deleting and editing them.
- Limit the period of storage of personal data.
- Ensuring the security, integrity and confidentiality of personal data.
Businesses need to be aligned with the following
- Process legally, fairly and transparently the personal data of their customers
- Should only collect personal data for specified, explicit and legitimate purposes
- The treatment must be limited to cases where it is necessary
- The treatment must be carried out accurately
- The processing must not extend beyond the necessary time frame
- The treatment is legitimate when appropriate safeguards to ensure the protection of personal Data
Key changes introduced by GDPR
The GDPR imposes a series of new obligations on controllers, stemming from the basic principles, and in particular the enhanced transparency principle in the way data collection, processing and keeping, and the new principle of accountability, according to which the controller is responsible for and is able to demonstrate compliance with all the principles governing the processing of personal data. New rights are also introduced for data subjects such as the right to privacy, the right to data portability.
The sanctions provided
The sanctions provided by the new Regulation are extremely high and amount to up to EUR 20,000,000 or up to 4% of the total annual turnover of the previous financial year (whichever is the higher).
This is the maximum fine that can be imposed for the most serious offenses [e.g. failure to obtain the consent of the customer for data processing in a lawful manner, or violation of the privacy by design policy.
There is escalation to threatened fines.
For example, an enterprise may be threatened with a fine of 2% in cases of unlawful keeping of its records, late notification to the data protection supervisor and to the data subject if it detects a data breach, or when omits to carry out impact assessments.
Consequently, non-compliance with the new arrangements involves the risk of a fine being imposed by the supervisory authority which may indicate the economic disaster of the organization / company.
Violations of data liable to compromise data subjects shall be notified to the competent data protection authority within 72 hours. In addition, it is necessary to update the data subjects without undue delay
Bodies that need to be in harmony with GDPR
Αll public / private sector bodies / organisations that process personal data as part of their activity must comply with τhe GDPR.
Any company, organisation, government agency that collects, records, stores, discloses a transmission, associates, deletes, destroys information relating to an identified or identifiable natural person is obliged to apply the new regulation.
Steps to comply with the Regulation for every business / organization
The "GDPR" and activities will be most affected
As we have seen, all businesses that maintain or process personal data of European citizens are affected by the implementation of the new regulation. However, some activities will be more affected by their nature.
Hotel Services – Health Services – Financial Services – Human Resources Services – Hospitality & Travel Services – Internet / Personalized Sales Services – Telecommunication Services – Energy Services – State Sector – Data of Schools
Schools data
H ENERGY FINANCIAL GROUP offers specialized services in compliance GDPR concerning educational units (public and private schools, language schools, language centers, etc).
Being aware of the responsibility for the processing of minors’ personal data and recognizing the importance of the mission of the training units, we will propose solutions that combine protection from the processing of personal data with their free and safe movement.
Sports Associations Data
The Energy Financial Group has handled cases athletes, gyms and sports clubs. Its members have been athletes and associates as consultants in sports federations.
Furthermore, the experience in organizing sports events and activities contribute to the rapid and effective drafting a privacy policy.
E-Commerce Data
E-Commerce is a daily reality that is constantly gaining ground but increasing the risk of phishing customer theft of personal data.
The forced co-operation of e-shops with IT outside of the business and often large-scale processing adds to the need for contact with lawyers and IT that deal exclusively with e-shops. These include a lawyer and an IT partner. Knowing how data is trafficked to these businesses allows us to reduce the cost of providing our services.
Data of Municipalities and Regions
ENERGY FINANCIAL GROUP offers specialized GDPR compliance services for legal entities governed by public law such as Municipalities and Regions. The new regime has to comply not only with private companies but also with government agencies processing personal data.
The team includes lawyers with public law studies who will accurately provide all the effective tools that will help each public body to function properly in accordance with all obligations under the Regulation.
Tourism Business Data
ENERGY FINANCIAL GROUP offers specialized GDPR compliance services for tourism businesses (hotels, catering, travel agencies, etc.).
In a country where tourism is its “heavy industry”, it is extremely crucial to adapt all stakeholders to the new regulatory regime of personal data law as well as to the proper functioning of every tourist business.
Energy Financial Group has the IT capability with experience in managing and exchanging tourist data so that adaptation to the new regulation can be made in a very short time. In addition, profiling and data transfer to and from abroad makes hotels and tourist agencies a complaints-sensitive data controller.
Diagnostic Health Centers
Energy Financial Group is aware of the operation and contractual obligations of diagnostic centers and their legal particularities.
Its experience in health data makes EFG a reliable partner in transferring and sharing your customer data.
Genetic Data and Medical Assisted Reproduction Unit Data
Banks of genetic material such as stem cells, semen and ova manage data that concerns not only the subjects of these data but also their offspring.
Donor anonymity is not the only thing that a Medical Assisted Reproduction Unit should protect. Hematological examinations, mother surrogate data, social parents, relatives and other illnesses are an important part of the data being handled by MIAAs.
Hospitals
All kind of secondary and tertiary health care institutions, by definition, process large-scale health data.
The compliance obligations of hospitals with the GDPR are all the more pressing in cases of underage patients or patients coming from abroad, both inside and outside the European Union.
Energy Financial Group is actively involved in the compliance of organizations and businesses that manage personal health data and undertakes the full range of relevant actions and processes
Psychiatric Data
Psychiatric data is the definition of sensitive data to the extent that it is questionable whether it is permissible and to which exceptions access to it by the patient itself.
The principle of necessity and convenience finds a wide scope in that, as it is consistent with the case law of the Personal Data Protection Authority, the export of medical data from psychiatric units must be done sparingly and succinctly in formalities.
Energy Financial Group has extensive experience and scientific excellence (publications and speeches) on issues of psychiatric confidentiality, involuntary imprisonment, and how to maintain psychiatric unit data. It manages the data protection policy of not only private psychiatric units but also of Mental Health Units.
- Data Privacy Impact Assessment – Data protection impact assessment to identify the most important risks
- Compliance Action Plan, with proposals for the necessary measures, support and guidance for their implementation.
- Develop all required privacy policies and procedures, in a Unified Personal Data Management System with ISO 27001 or independently of that, in another appropriate Privacy Seal.
- Create the personal data processing file.
- Information and participation of Managers and staff involved in the process of harmonizing the company with the GDPR Regulation (what are its requirements and how it affects the operation of the Directorates – Departments and the whole company).
- Development, where required by GDPR, of data leakage and / or security breach procedures.
- Outsourcing Data Protection Officer (DPO)
- Legal Services GDPR
- IT Services GDPR
- Cyber Security Insurance Services.
DPO (DATA PROTECTION OFFICER)
The Data Protection Officer (DPO) is a leading security role in each company on the field of security required by the General Data Protection Regulation (GDPR).
Data Protection Officers are responsible for overseeing data protection strategy and implementation in order to ensure compliance of a business or organization with the GDPR requirements.
The Data Protection Officer is appointed on the basis of professional qualifications and in particular on the basis of his experience and knowledge in the field of data protection law and practices.
DPO may be a member of the Personnel of the Processor or Processor or perform his / her duties under an Outsourcing DPO. The Processing Manager or the Processor publishes the contact details of the Data Protection Officer and notifies them to the Supervisory Authority.
Inform and advise the processor
Inform and advise the processor and officials processed their obligations under this Regulation and other Union legislation or the Member State on data protection
Monitor compliance with this Regulation
Monitor compliance with this Regulation, other Union provisions or national legislation on data protection and the policies of the controller or processor in relation to the protection of personal data, including the delegation of awareness and training of staff involved in the processing operations and related controls.
Provide advice on impact assessment
It provides advice, when requested, in terms of impact assessment regarding data protection and monitor its implementation in accordance with Article 35
Collaborates with the Supervisory Authority,
Act as a contact point with the supervisor authority
Act as a contact point for the supervisory authority on issues related to the treatment, including prior consultation referred to in Article 36, and shall consult, as appropriate, on any other matter
Data Leak Risk Control
In the performance of his duties, the Data Protection Officer shall take due account of the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
CERTIFICATES RELATING TO GDPR
Energy Financial Group has set up task groups to undertake the study of your organizational structure, documentation and preparation of proposals for the final certification of your organization with the following quality systems:
- Certified specialization in the field of personal data protection through his / her employment in internationally certified businesses
- ISO 27001, the main international standard for information security
- PCI, the international standard for businesses that manage payment card data
- ISO 27018, the international standard for the protection of personal data in the cloud
- ISO 27017, the international standard for data security in cloud services
- ISO 27799, the international standard for the safety of health data ISO 27011, the international standard for data security in telecommunication organizations
- ISO 27015, the international standard for data security in financial services
Specialized Services for the Harmonization of Hotels with GDPR
- Energy Financial Group has staffed a team of Legal Advisors specializing in Personal Data Protection Law and how to harmonize Hotels with GDPR
- Engineering Software (IT) of Energy Financial Group specializing in Reservation Software and Management of Hotels and Travel Agencies
- Study and documentation team aiming at ensuring, harmonizing and certifying hotels
- DPO outsourcing services so that a Certified Data Management Officer (member of our team) undertakes the work of a fixed duration of harmonization with the GDPR
For more information on GDPR and its application in Tourism click here