What 25 May 2018 means for the day-to-day functioning of data processing entities – the implementation and application of the GDPR
The GDPR came into force already back in 2016, but only starting on 25 May it is applicable in full, regardless of the advancement of the legislative work on changes to industry-level regulations. This entails new duties for employers and means that they have to verify the documentation they are currently using.
When processing personal data, you will have to design and implement a comprehensive system for the protection of such, which will be adjusted to the nature of your business and your organization, as well as to ensure the accountability of your actions (the ability to demonstrate your actions in this area). In order to do this, I recommend a thorough verification of your personal data as well as determining the purpose and the period of their processing. Failure to comply with GDPR requirements might result in an inspection, and if irregularities are found, severe penalties could be imposed.
If you entrust the processing of the personal data of your employees to other parties (e.g. when human resources and payroll services are outsourced), I recommend taking a closer look at the current data processing agreements. GDPR significantly expands the regulations pertaining to such agreements. In particular, as a controller you can only entrust personal data processing to entities that provide a sufficient guarantee that they will implement appropriate technical and organizational measures for the processing to meet the requirements laid down in the GDPR, with protection of the rights of the data subjects. As far the content of the data processing agreement is concerned, you should remember that the mandatory elements of data processing agreements include, inter alia, (1) the subject and the term of the processing, (2) the nature of the purpose of the processing, (3) the type of the personal data and the categories of the data subjects and (4) the duties and rights of the controller. It is a good idea to review your agreements for the inclusion of all the required information and to verify whether the processor to whom you entrust the data gives them adequate protection.