All are equal against the General Data Protection Regulation

From 25 May 2018 the launch of General Data Protection Regulation will equalize data protection rules within all European Union countries. Specialists alert that the changes should be noticed not only by the specific business, which process plenty of personal data, but also by all small or medium sized businesses which is somehow related with personal data of the  EU citizens  – clients, suppliers, partners or employees.

European Union, with the new GDPR, is aiming to change all the doubtful habits of the specific companies, for example: selling clientele e-mails, improperly saving personal data from hackers or outsiders. Experts state that GDPR will bring favourable conditions for the society to control their sensitive data. Juste Sakalauskaite, Compliance Specialist  and Data Security Officer at Šiaulių Bankas , admits that is  difficult to forecast if  the new regulation felicitates  process of data security for business.

„I do think that only time will tell if GDPR brings more clarity or more confusion. In general, the regulation itself is not something new  in data protection, there are some innovations and improvements in it, but all the essential requirements remain the same. The biggest news of the new regulation  – bigger penalties . That is exactly why (penalties) regulation receives so much attention. However, data protection was always valid, up until now . For example, banks always were and still are very strict with it. Having said that, while preparing for GDPR we still had to check and  verify some processes.“ – said J. Sakalauskaite.

The initiators of regulation assure, that unified system will help to reduce costs and even bring economical benefits – approximately 2,3 bln. Eur. Business is afraid of big financial losses and state that GDPR will be most relevant for corporations, whom manages huge amounts of data.

„Attitude that data protection should be a bigger concern of huge corporations or specific businesses, like banks is not somehow accidental.  Big corporations do manage an enormous ammount of data, that is why risks related with data are way bigger. Small-sized companies, with up to 250 employees working in it, manage incomparably less data. However, data protection regulations should not be forgotten, despite the size of company. For all the companies there is one main rule – to not ask for clients superfluous data, manage only necessary data and guarantee the safety“, - states the bank representative.

Not only IT concern

J. Sakalauskaite says, that the first step , which should be followed by the companies that did not pay a lot of attention for data security – properly introduce all your employees with data security regulations.

„In practice we see, that majority of employees do not understand the real meaning of personal data. Personal data is information, which identifies the persona: name, surname, personal code and etc. As well as all indirect data, which is only obtainable with additional tools , for example - contract number, which if entered in to the system is capable of showing all data required. When employees are familiar with what personal data is, it should be easier to understand  what type of data is managed within the company, then review which employees are involved with data management processes- they may find out, that they do not even realize, that they are managing sensitive information. It is very important to understand, that majority of employees do not know, in what kind of legal basis company accumulates data – all these questions should be discussed with staff“, - recommends J. Sakalauskaite.

Specialist states, that it is wrong to think that data security must be maintained only by the lawyers or IT specialists.

„Data security is not only Law or IT customer service point matter; it should be concern of all employees within the company, who work with the data of clientele. Data security is extraordinary important from the first moment, when you take the data of clientele and submit it in to the system. You should assure that data take will not go anywhere else and it will not be seen by the outsiders.  Frequently, first- to -see personal data are front-desk workers. They must be very well acquainted with the data security principles - says interlocutor. – New GDPR is relevant to all employees, who manage, systemise, review and transfer data. It may be that in some specific companies will lack such type of employees – for example, baker has no point analysing new regulation. However, the accountant of the same bakery might find it topical. Head of bakery importance is crucial in this as well: it has to highlight the importance of data security, to lay down priorities and strategy, make sure that there are enough of resources to obtain and realize plans.“

According to J. Sakalauskaite, the most useful thing to do is to prepare training which should cover not only theoretical background but practical as well.

„Even if company does not have a lot of financial resources, useful data and practical examples can always be taken from the Internet.“ – suggests specialist.

It will not be allowed to accumulate

According to J. Sakalauskaite, the old attitude, that it is better to save-up and gather as much data as possible, because it might be useful must be changed as well – this aspect of regulation receives a lots of discussions lately.

„Data minimization means that it is incorrect to manage more data than it is required. Thus far, only a small part of business companies deleted personal data- everything was accumulated, justifying that it might be useful in the future. Now regulation provides for boundaries of how long will it be possible to store data. However, it makes it controversial, since majority of  government institutions often require to submit big amounts of data“,- describes the problem representative of Šiaulių Bankas