General Data Protection Regulation in the EU: Requirements and challenges for the business
New EU Data Regulation Saves 2.8 billion EUR of European Business
– About 80% of Bulgarian companies and 70% of the EU business are not prepared to respond to the introduction of Regulation (EC) 2016/679 of personal data protection (GDPR)
– 50,000 to 100,000 Bulgarians have to undergo training on implementing the new rules
– Depending on the violations, fines for unauthorized or malicious handling of personal data are up to 2% (up to 10 million EUR) and up to 4% (up to 20 million EUR) of the company annual turnover
“The introduction of the new regulation on the protection of personal data (Regulation 2016/679, abbreviated as GDPR) will affect everyone. There is no other policy that affects so many spheres in life. The purpose of the regulation is to harmonize data protection laws in the 28 EU Member States”, said Ventsislav Karadzhov, chairman of the Commission for Personal Data Protection (CPDP), during a forum organized by the American Chamber of Commerce in Bulgaria on Oct. 10, 2017 at the Grand Hotel Sofia.
He underlined that the decision to regulate companies’ greater responsibility towards citizens is a result of turning personal data into business for many companies. According to Karadzhov, about 80% of the companies in Bulgaria are not yet ready for the new rules, which will become effective as of May 25, 2018.
Tanya Tocheva, partner at the law firm “Tocheva and Mandadzhieva” explained that the most affected fields will be healthcare, banking, insurance, utility providers and mobile operators.
We live in an environment of constant data exchange through social networks, mobile applications, cloud services and artificial intelligence, and in almost every sector of economy and life personal data is processed, explained Plamen Angelov, director legislation and international cooperation at CPDP.
The introduction of the Regulation greatly widens the rights of individuals. Special attention is paid to the protection of children’s data. The requirement for transparency is increased, accountability is introduced.
Under the Regulation, the companies that operate with personal data of citizens, particularly on the Internet, and when processing sensitive data, are obliged to appoint Data Protection Officer (DPO). In addition, the CPDP proposes that companies processing personal data of more than 10,000 persons should also appoint a DPO.
According to Karadzhov, it will be necessary to train between 50,000 and 100,000 people to apply the new rules which requires the creation of a National Training Center. A building has already been designated for the purpose and 1.5 million leva of funding is needed to undergo reconstruction.
“We rely on funding from the 2018 budget,” said Karadzhov. Parallel work is also being done to build an online platform that can educate 10,000 people at the same time. The Commission needs BGN 350,000 for the platform.
Iva Todorova, a member of the Board of the American Chamber of Commerce in Bulgaria and chair of the Digital Working Group, said that according to the European Commission, the introduction of uniform rules would save the EU businesses about 2.8 billion euros of legal costs. She stated that the new legal framework ensures better protection of citizens’ rights and warned that penalties for unauthorized processing of personal data vary depending on the offenses up to 2% (or up to 10 million) and up to 4% (or to 20 million euros) of the annual turnover of the company.
For AmCham members Confidentiality or Security of Information is essential. Our members put the trust in the basis of working with customers and partners and this is becoming a highly competitive advantage, Tododrova further said.
According to her, additional uncertainty are raising the open articles in the GDPR and how this could create regulatory divergences and a fragmented application throughout the EU. This would be a barrier to creating a single digital market and problematic for businesses with business operations across Europe, she pointed out. AmCham has always advocated for harmonized application of the regulation. We support the global and uniform approach and the mutual recognition of data privacy regimes, Todorova added.
By the end of the year, the CPDP, jointly with the Ministry of Interior, will submit to the National Assembly a law amending and supplementing the Personal Data Protection Act. Transitional and final provisions will be amended in a number of sectoral laws that have to be transposed in line with the new regulation.
Vihren Slavchev, managing director of Mnemonika, said that in order to protect the companies, metadata are collected in a given client company and are directed to certain Internet spaces.
Ognian Yuskeseliev, a digital transformation manager at Telelink, said that when information is in a cloud space, it is better protected.
According to Boyan Yanchev, Lirex BG, most companies are at the initial stage of their preparation – a technological impact assessment.
The business representatives asked many questions to the representatives of the CPDP, outlining the challenges to their preparation for the transformation. Many of the technology giants, members of the American Chamber of Commerce in Bulgaria, have put forward specific solutions for more effective implementation of the new rules in the companies.