GDPR? Protect your personal data or pay astronomical penalties!

The GDPR catchphrase is starting to be heard across all media. The hype around the EET is dying down and a new concept needs to be shed light on what is arguably an even more challenging measure than the aforementioned EET.


GDPR stands for "General Data Protection Regulation", loosely translatable as General Data Protection Regulation. It is a new EU regulation that was adopted in April 2016 and will come into force on 25 May 2018. It fundamentally affects the issues around the handling and storage of personal data in order to protect EU citizens against unauthorised handling of their personal data. The Regulation targets companies, institutions and individuals who handle personal data of employees, customers, clients or suppliers.

"Many companies live in the naivety that even if they have a few employees, they are not affected, which is not true. Indeed, GDPR applies to all companies that have any employees, or if a self-employed person works for a number of other companies that send and share their clients' data. From my point of view, GDPR affects everyone, just to a different extent," says Eva Škorničková, founder of GDPR.cz

The period between approval and entry into force is intended to prepare for extensive changes in the way we work with personal data. During this period, those affected by the regulation should review their current situation, analyse how they work with personal data and where they store it. Many of them, even though more than half of the preparation period has already passed, have not reflected on this or have not even registered that any preparation is needed or, worse still, have not noticed the existence of the regulation at all.

Data controllers and processors are tasked with implementing the technical, organisational and procedural measures leading to data protection under the GDPR. Among other things, they must implement deliberate and necessary data protection, designate a person to become the data protection officer, implement data pseudonymization, keep records of processing, and consult with the supervisory authority before starting to process data. We will discuss the obligations in more depth in future articles.

In the event of a breach, failure to implement or prepare for the new regulation, obliged entities face high fines, which in many cases can be devastating. The maximum amount of fines is astonomical 20 million euros or 4% of the company's total annual turnover (the higher of the two) and the amount of the fine is not dependent on the size of the company, so a company with five or five thousand employees can be fined the same amount. The amount of the penalty depends on a number of factors such as the nature of the data compromised, the degree of compromise and the number of victims, the length of the breach, etc. In addition to the official GDPR sanctions, companies may also face lawsuits and requests for compensation from affected individuals.

An important piece of information for data controllers is also that if they are compromised and have a high-risk data leak, there is an obligation to report the incident to a supervisory authority within 72 hours. Also important for online companies and e-shops is the information that the approval system with the processing of personal data will change. Whoever entrusts you with sensitive data will need to know exactly what purpose they are providing their data for.

The whole regulation is very complex and extensive, in the following articles we will try to shed some light on the different pitfalls and obligations that you will face with GDPR. Cybersecurity is also part of the technical solution to data protection, which we cover. It's important to have your data properly secured and encrypted to prevent unauthorized people from getting to it. It's also essential to work with data in a secure space and be sure you're not being tracked or eavesdropped on by competitors. We will also offer you the services of an independent Data Protection Officer. We will be happy to provide you with the necessary advice as part of our consultancy and assistance to prepare the ideal conditions corresponding to the safe handling of personal data under the GDPR.

If you are interested in details, don't understand something or need any other information, please contact us. We will be happy to advise and address your needs and questions individually.