GDPR in a nutshell

New deadlines, the obligation to keep records of activities or to report any serious personal data breach. These are some of the innovations that every institution will have to keep in mind from 25 May. GDPR in a nutshell.


We provide a brief summary and overview of the new GDPR obligations in the following article.

Although personal data has been protected by law in the Czech Republic for almost twenty years, many people feel that the General Data Protection Regulation brings about dizzying changes. This is not the case.The GDPR essentially builds on existing law, refining or extending it in some respects, and there are only a few new features. What are they?

Terminology

The regulations will introduce some terms that may be confusing to the uninitiated:

  • processing of personal data = operations carried out with personal data obtained, i.e. it is not every use of any person's data in any situation,
  • data subject = the person whose data is involved,
  • controller = one who processes personal data,
  • processor = one who is authorised by the controller to process personal data.

Activity records

All institutions, without exception, will from May onwards have to keep records of the activities they carry out with personal data. We recommend that you create a form for this purpose and record the information required by Article 30 of the GDPR on it.

Security Breach Notification

It will also be mandatory for everyone to report any serious personal data breach to the Data Protection Authority under Article 33 of the GDPR within 72 hours of becoming aware of it.

Codes and certificates

Where a company's activities involve the same or similar processing of personal data, the GDPR recommends that a code of conduct be drawn up for such activities. However, such codes, as well as, for example, data protection certificates, will not be mandatory.

Data Protection Officer

Offices, schools, hospitals and other institutions that make decisions about citizens' rights will have to have a data protection officer from May. This is a person who will be fully dedicated to data protection issues. The duties of the so-called DPO (Data Protection Officer) will be mainly to control the processing of personal data in a particular institution and to draw attention to any shortcomings.

Consultation with the Data Protection Authority

The DPO is preparing a so-called list of risky operations. These will be activities related to large-scale processing of personal data, such as profiling people via the internet, where detailed information about their private lives is obtained for marketing purposes. For example, the introduction of new technologies into such processing may be similarly risky. For all such cases, the GDPR recommends consultation with the Authority.

Sanctions

One of the biggest bogeymen of the General Data Protection Regulation are the fines imposed for non-compliance, which reach astronomical amounts. However, large multinational corporations in particular should beware. In general, then, penalties should in any case be proportionate, not liquidating.

So remind yourself how to go about putting processes in place to comply with the GDPR with our infographic

If you come across any other areas that are new to you in the run-up to 25 May and you're not sure what to do, please don't hesitate to get in touch. We will be happy to discuss everything with you.