It is the question that many of the data protection circles are concerned about: What happens in 26 May? For those who do not understand the date, it should be remembered that the General Data Protection Regulation (from the General Data Protection Regulation or shortly GDPR) is due to enter into force on 25 May.
So many are wondering what will happen after the new regulation is implemented. Of course, the EU and the Member States are reportedly taking the data protection very seriously, but so far, we have not seen any striking changes in the measures to be taken for the new regulation.
Some would argue that this is due to the fact that many countries have neglected to give data protection laws to law enforcement authorities and will virtually not have a control mechanism in place.
However, GDPR comes and brings new rights to users, new obligations to share data breaches, and many other business issues that companies will find it hard to tackle.
The data protection authorities (DPA) expect everyone to implement the law quickly, but no one has said what will happen from day one… Will they start handing out fines immediately? Will there be many fines? Will fines be DPA's main tool for enforcing and introducing the GDPR?
Below we will see what you can do from 26 in May if you are not yet ready to fully adopt the new regulation:
First of all, do something to make the effort appear. Even if you are not ready for full adoption of the GDPR, it will not be a problem. Will there be a period of grace? We hope that some authorities will explicitly state that they will not exist. Of course, the necessary curve for learning the new regulation should be taken seriously, but this lies at the discretion of each Authority. However, it is important to start today, not tomorrow.
If an authority invites you and you can prove that you have started the path, it will go a long way.
Secondly, immediately update the Privacy Terms of Service and tell your customers what you do with their data. Also make sure to let them know about their rights as described in GDPR.
Transparency will be a key priority of implementation, it will be the key. Rights can not be exercised if there is no transparency.
If you collect data and do something with what your customers do not know, you better stop it, not tomorrow, today, or at least 25 May. You are legally required to have a Data Protection Officer. Make sure you have a name and publish your contact information.
Third, make sure you ask for help. Some of these problems are really hard to solve. If you have a problem, do not pretend there is not. Do not hope you will not notice it. Contact your local DPA and ask that you do not understand. Better to disturb you than to disturb you.
Although not all EU data protection authorities are equally cooperative, the GDPR should be implemented. The given grace period mentioned above may not exist in some countries:
"There are no grace periods," said the Austrian DPA and Andrea Jelinek, "because grace periods were already the previous two years. You had two years to take the necessary steps. "
Surely there will be fines and they will be important. Strict fines will of course be imposed on companies that intentionally insist on violating the law.
There will be warnings, and investigations will be conducted before the fines. However, companies that show a willingness to comply and cooperate will be better treated by the authorities. Initially at least…
____________________