In anticipation of the forthcoming submission of the relevant bill to the House for the codification of the provisions on personal data and the incorporation of Data Protection Directive 2016/680 by pre-trial authorities and prosecutors, companies operating in Greece are required to comply from 25 May 2018 with the new General Data Protection Regulation 2016/679 (GDPR), which imposes strict rules on the processing of personal data of EU residents.
The GDPR introduces new tools and procedures to ensure wider and more effective protection of personal data, including, for example, by keeping an Impact Assessment and Performing Activity Record and, most importantly, by defining a Data Protection Officer (DPO).
Any violation of the new Regulation will result in administrative fines by the competent Personal Data Protection Authority, which may amount up to € 20 million or up to 4% of the total worldwide annual turnover of the previous business year, whichever amount is higher.
At the same time, recent surveys in Greece reveal that 4 out of 6 companies are unaware that the Regulation already has a significant impact on their existing structures or how they should begin direct compliance.
What a business should do
In this context, AS Network's special advisors have created a road map with the key steps that every company operating in Greece should follow in order to comply with the GDPR:
Data flow mapping and investigating the following issues:
- What are the personal data, how they were acquired, for what purpose, in which categories they belong (simple, sensitive, public)?
- What are the subjects of personal data?
- Where are personal data (electronic / physical file) stored?
- Who has access to and who will be notified / forwarded?
- Does the subject consent to the processing?
- How long do the personal data hold?
- Is there a destruction process?
- What technical and organisational measures have been taken to protect data?
Impact assessment before data processing. If the assessment indicates a high risk, the person responsible for processing must ask for an opinion from the personal data protection authority.
Adoption of technical / organisational measures for data security
Continuous compliance with GDPR and proof - accountability:
- Appoint a Data Protection Officer and support him / her from a group of people and the resources needed to perform his / her duties.
- Keep a file for each data processing format that is taking place.
- Recording and implementation of data protection policies.
- Adoption of practices for dealing with personal data breaches - control of effectiveness.
- Special clauses on personal data in contracts with staff, customers and suppliers.
- Rights of access, correction, oppose, limitation of processing, data portability, etc.
- Education - awareness raising of staff.