By Chrysiana Antonopoulou

The protection of the personal data of natural persons had a legislative basis even before the implementation of the widely known General Data Protection Regulation of the EU, otherwise known as the GDPR. Nevertheless, 25 May 2018, the date of mandatory application of the Regulation across all EU Member States, was the milestone that effectively marked the beginning of the integration of a personal information protection mindset within businesses, and simultaneously raised awareness among individuals regarding their rights.

The Regulation applies horizontally to every business that processes personal data of natural persons, regardless of the sector of economic activity and company size. It significantly increased the obligations of organisations regarding the management of personal data, as well as the scale of fines in cases of non-compliance. This potential risk was not overlooked, particularly by businesses that swiftly moved to comply with the Regulation, which carries the characteristics of mandatory and direct application across all Member States, without requiring transposition into national law through new legislation.

GDPR Compliance Steps

The GDPR compliance steps are not the same for all businesses. The degree of compliance difficulty varies depending on the characteristics of each business. Key factors that affect compliance requirements include: the number of employees; the frequency and scope of processing activities (occasional or systematic, large-scale or small-scale); and the type of personal data being processed (‘ordinary’ personal data or ‘sensitive’, i.e., special category data, such as health data or data relating to racial or ethnic origin).

However, certain steps are common for all businesses, regardless of size or nature of processing:

The GDPR compliance steps are not the same for all businesses. The degree of compliance difficulty varies depending on the characteristics of each business. Key factors that affect compliance requirements include: the number of employees; the frequency and scope of processing activities (occasional or systematic, large-scale or small-scale); and the type of personal data being processed (‘ordinary’ personal data or ‘sensitive’, i.e., special category data, such as health data or data relating to racial or ethnic origin).

However, certain steps are common for all businesses, regardless of size or nature of processing:

1. Awareness and Training

Informing and training the company’s Management and all personnel so that they know what is permitted and what is prohibited, what the rights of natural persons are, and what the Management’s obligations are; and gradually embedding a personal data protection mindset so that they are able to recognise potential risks. The company, as ‘Data Controller’, must be able to demonstrate compliance at any time (accountability principle).

2. Data Mapping

By mapping the data processed by the company, the flow of data is identified, from collection through to filing or destruction. During the mapping process, any unintentional violations may also come to light (e.g., it may emerge that more personal data is being requested than is actually necessary for the purpose for which it is collected), or the problem of chronic data storage may surface (e.g., the company retains vast amounts of data for years without it being updated, and without any deletion policy or secure destruction procedure in place).

3. Documenting the Lawfulness of Processing

The processing of personal data is not inherently unlawful, it simply requires one of the grounds provided for in the GDPR. This ground (or ‘legal basis’ for processing) must be carefully identified prior to carrying out the processing and must be communicated to the natural persons concerned (data subjects). The choice of legal basis has practical consequences, as certain individual rights will be modified depending on the legal basis selected. Choosing the wrong legal basis can lead to the imposition of a fine due to the misleading information it generates vis-a-vis the data subjects.

4. Personal Data Protection Notice

Every business must provide, in writing and with appropriate clarity, information at minimum covering: the identity and contact details of the Data Controller (which may coincide with those of the legal entity); the Data Protection Officer (DPO), if applicable; the rights of data subjects and how to exercise them; and a specific reference to the right to lodge a complaint with the competent supervisory authority (i.e., the Data Protection Authority). Each natural person will also be able to obtain information about the processing of their personal data upon request to the company, by exercising their right of access.

5. Review of Technical and Organisational Measures and Data Protection by Design

The company must review its existing information systems and existing organisational security measures, and implement the necessary compliance modifications. This includes: security of information systems, networks and software; physical security; restricted and controlled access to data files; encryption or pseudonymisation of files where required; training and continuous updating of staff; clear and documented policies and procedures; and a business continuity data recovery plan for addressing security breach incidents.

In Conclusion

While GDPR adoption may be largely driven by the threat of heavy fines (up to EUR 20,000,000 or 4% of total annual turnover of the preceding year, whichever is higher), the long-term benefits for a business are not limited to avoiding direct financial loss. Actively promoting respect for customers’ rights, improving the company’s reputation, securing electronic systems against potential attacks and information leaks, and increasing productivity through the proper organisation of information — these are all pillars of growth and protection of hard-won achievements for every business.