Each instance of data processing represents a certain risk for personal data, which needs to be assessed and adequately controlled.
The implementation of the new Law on Personal Data Protection (the Law) started more than a year ago, but the question arises to what extent the obligations prescribed by the Law are fulfilled. A significant part of the solution from the General Data Protection Regulation (GDPR) has been copied, which creates numerous new obligations for companies and makes the harmonization process more complex and time-consuming, as well as more demanding in terms of resources. The main impression is that a large number of companies have not taken the steps necessary to harmonize their business with this Law, which can lead to the imposition of fines, as well as damage to the company’s reputation.
“Experience tells us that the reasons for companies’ non-compliance with the Law differ from company to company”
– There are frequent situations where the parent company, based in the European Union, harmonizes its business with the GDPR, so domestic companies implement these solutions with corrections, believing that, in this way, they have fulfilled their obligations.
– We have also encountered cases where companies use “standard” forms of documents, which do not meet specific needs.
– Finally, many companies are still not aware of the need to implement this Law.
“The fact that some of the necessary steps have been taken does not mean that compliance with the Law has been carried out”
How individual processing of personal data is performed, as well as the risk regarding the protection of personal data, are different for each legal entity, and thus create different obligations for them. The development and implementation of documents is the last step in this process. The first things that need to be defined are the following:
– what data the company processes and their flow
– in which business processes data processing is performed
– risk assessment for personal data that is being processed with the appropriate measures applied to reduce the risk to an acceptable level.
For example, a company sells furniture. Suppose a company like this has employees, customers and business partners, as well as a website with online shopping options. The amount of personal data processed by the company in question is large: biographies of job candidates, loyalty programmes for customers, the website uses cookies to analyze visitor behaviour, there is a database of suppliers and / or customers and/or salaries of employees, servers are located in countries that do not provide a sufficient degree of data protection, external associates are hired with whom the collected data is shared, etc.
Each data processing represents a certain risk for personal data, which needs to be assessed and adequately controlled. Documents (rule books, privacy notices, data transfer agreements, procedures, consent forms, etc.) need to be compiled and rules for handling the data need to be established, concerning the assessed risks. Employees who process data in the company must be trained to use the documents. Only in this way it is possible to prove that the company implements the Law. The goal is to establish procedures for handling personal data that are understandable to those who are obliged to apply them and that are appropriate for the business processes that take place in the company.
IVAN MILOŠEVIĆ, Partner
ANDREA CVETANOVIĆ, Senior Associate