In May the new EU data protection regulation comes into force.
Meanwhile, GDPR is not a time bomb, but rather a process requiring a change of mindset on a European level, that applies equally to authorities, businesses and natural persons as well. Currently, uncertainties abound because in Hungary the appropriate legal regulation has not yet been published and the current data protection regulation is not in line with the GDPR. Despite legislative delays, the GDPR is directly applicable in Hungary. This means that companies must start to get ready to comply.
The most important point is that the GDPR applies without exception to all companies that process data of European citizens. In order to comply with the GDPR, business procedures have to be transformed and continuous risk analyses are needed. Companies have to do everything they can in order to minimize data protection risks. They have to audit and re-regulate their entire data processing practices, which clearly requires a considerable amount of time and money.
A major innovation is that companies not only have to comply with the data protection rules, but they have to be able to prove it. At every moment of data processing, compliance has to be demonstrated with relevant documents. This requires constant audit of data processing activities. In order to maintain data security, appropriate measures must be built into these processes and workers must be trained so the GDPR is also applied in practice.
Indeed, the amount of possible fines has increased dramatically, although the chance of receiving a 20 million euro fine is relatively small. According to previous practice by the authority, fines are the last resort: previously the authority would issue a ‘cease and desist’ notice for unlawful operations and draws attention to necessary measures.
This suggests that mass fines will not be imposed on the morning of 26 May. Nevertheless, it is advisable to start preparations, analyze risks and seek timely solutions to the most pressing issues involving experts and legal advisers.
Source: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)