The transition period to the General Data Protection Regulation is already complete. We would like to remind you of the changes that were implemented with the GDPR and how we prepared for its application at Contisystems. We would also like to remind you that this article should not be considered as legal guidance for compliance with the above regulation. We advise you to check the European Committee page on Data Protection if you would like complete information on the regulation.
What is the GDPR?
The GDPR – General Data Protection Regulation – is a regulation approved by the European Council on April 27, 2016 and it refers to the protection of natural persons with regards to the processing of personal data.
When does it come into force?
After a transition period of two years, the GDPR is mandatory from May 25 onwards through the direct application of the approved regulation and without the need for national legislation.
To whom does the GDPR apply?
To all professionals, companies and organisations, both public as well as private, that manage, process or handle personal data.
What changes were implemented with the GDPR?
The GDPR intends to regulate the complete lifecycle of the processing of personal data.
The regulation introduces significant changes to the current Data Protection rules by imposing new obligations on organisations and non-compliance with these new obligations is punishable by hefty fines which could go up to 4% of the annual global turnover or to € 20,000,000.00 (whichever is higher).
The GDPR is not limited to legal and IT matters. It is applicable throughout the organisation and implies implementing a risk management system, an information security system as well as the adoption of new behaviours such as:
- Attainment of consent for the collection and processing of personal data;
- Introduction of accountability duties
- Carrying out Privacy Impact Assessments (PIA);
- Sending a mandatory notification to the Data Protection Authorities (CNPD) in the event of a data leak or compromise;
- Appointment of Data Protection Officers;
- Reinforcement of data security;
- Exercise of the right to forget (companies should delete the personal data whenever requested by the data subjects);
- Exercise of the right to data portability (it enables people to access their data and to provide it to another company);
- Exercise of the right to oppose to profiling (data subjects have the right to oppose to any form of automated personal information processing with the purpose of assessing and typifying individuals based on their personal data);
- Elimination of the data when it is no longer necessary (it should only be kept for the period needed to provide the product or service).
How did we prepare for the application of the GDPR at Contisystems?
Following a background, in which information security has always been important, Contisystems is currently implementing methodologies as well as assessments that guarantee total control of its data through the implementation of good practices. Examples of these good practices are assurance of encryption of all the information relating to personal data and analysis of new processes in order to map the physical and logical locations, where the information passes, as well as identify the data transformation processes and the people who intervene in them.
You can count on our cooperation in complying with the data protection regulation!