Personal data becoming personal property – Companies in Serbia unprepared for implementation of GDPR

If the presidential elections in the USA were held after May 25, 2018, Donald Trump might not be sitting in the White House, and not just for his controversial biography either, but because of the public revelation, two years after the election campaign, of the fact that the data of 50 million Facebook users had been used by Cambridge Analytica, related to Trump`s election staff.

Personal data of around 2.7 million European users of this social network might be among them, the European Commission announced, citing data provided to it by Facebook.

Beginning with May 25, 2018, when the new General Data Protection Regulation (GDPR) of the EU comes into effect, personal data of the users of this social network will be treated as any other personal property.

Although the collection of these data has been regulated by law before, the new regulation brings many new features, but also severe penalties in case of violation.

What is GDPR?

If your inbox has been loaded with notifications by various organization of the change of the manner of data collection lately, don`t ignore them. Pay attention to what they say, that is, what kind of your personal data they have.

The GDPR pertains to a new legal framework which defines the manner of use of personal data of EU citizens, such as the name, personal identity number, email address, phone number, but also web browsing history and data showing not just who the person is but how to reach them as well.

In line with this document, each organization processing the data of EU citizens, but also those persons only living within the EU borders, without being its citizens, will have to comply with the new personal data protection rules.

According to the GDPR, any citizen of the European Union can ask any company why the data are being collected and to have the data collected by the company deleted. It is important to emphasize that the new regulation pertains not just to organizations from the EU, but to legal persons registered outside the Union, but operating with EU residents.

The regulation also defines obligations for legal and natural persons from outside the EU. Among other things, the regulation says that companies headquartered outside the EU shall have a representative within the Union in charge of certain questions regarding data protection and run a record of activities of personal data processing in certain cases.

Also, all those who offer their services and goods in the territory of a member state or directing their online business towards the EU will have to implement the regulation. Those offering special services and discounts in the language of a member state or directed at the EU residents will also have to comply with the new regulation.

Therefore, although the national regulation in this field has not yet been adopted, companies from Serbia doing business with EU residents need to harmonize their operations with the GDPR.

Let us also note that, as Serbia is not on the EC list of countries which implement adequate personal data protection measures, the GDPR proscribes additional protection measures if data travels from the EU to Serbia (contract clauses, conduct codices, mandatory corporate rules).

Also, as said at the recently held Digital Day, Serbia doesn`t have a certification body that would determine whether the company is operating in line with the provisions of this regulation or not.

Law on Personal Data Protection to be adopted by the end of 2018?

The GDPR was adopted in 2016 and companies have had two years to adapt to its provisions. Serbia`s Law on Personal Data Protection should be adopted by the end of 2018. According to Sasa Gajin of the Center for Advanced Legal Studies, it has been approved by the EU authorities and it is up to local politicians to adopt it now.

The draft law largely matches the GDPR provisions, so companies in Serbia will need to implement nearly everything that legal and natural persons from the EU are already starting to implement regarding personal data protection, which entails many more obligations than are currently proscribed for third countries by the GDPR.

As Marija Milojevic of the consulting company KPMG says, this also entails the existence of persons in charge of personal data protection in companies, the obligation of a unified register, the obligation of reporting any violation within 72 hours...

Companies will be given six months to harmonize their operations with this law.

Companies in Serbia not prepared for GDPR

According to KPMG`s survey, a large number of companies in Serbia have not yet determined whether the GDPR pertains to them or not. As the company says in a press release, even companies certain that the regulation does pertain to them are only in the initial stages of harmonization, defining the type of personal data processed, as well as where the data are stored.

That local companies have not taken the regulation seriously is confirmed in practice. According to the survey, many companies do not have a person in charge of dealing with personal data and their protection in detail, the departments in big systems are decentralized, some data are kept in paper form only, and some are kept on servers.

– Companies first need to perform an analysis of the current situation, interview all the departments that process and store personal data in order to determine the type of data, whether they are kept on paper, electronically, in the country or abroad – says Marija Milojevic of KPMG.

As added, it should also be determined how companies protect personal data – whether they take technical or organization measures, set restrictions to the right of access to files and similar measures. After that, the steps that companies should take are defined.

Commissioner for Information of Public Importance and Personal Data Protection Rodoljub Sabic agrees that Serbia is not prepared for the GDPR.

– The regulation will be relevant for our citizens and business entities, which we treat as the most interesting part of our economy. Nobody doing business in the European market should harbor illusions that the EU has merely set the rules. It also has instruments to implement sanctions in case of violation – Sabic said recently at an international conference dedicated to the regulation.

Penalties can amount to as much as EUR 20 million, or 4% of global annual turnover. However, the point of the new regulation is not to act repressively, but to prevent the violation of individual rights.

According to Sabic, the commissioner`s office will help citizens and business entities prepare for the implementation of the GDPR, especially since, in Serbia, “the violation of the right to privacy and the abuse of personal data are not seen as serious delicts”.

According to him, the regulation is a long awaited “symbol of resistance” to a trend which seemed terrifying and which left the impression that the right to privacy would disappear.

– This regulation establishes a new standard, a new quality in the European area, and Serbia will need to harmonize its regulations with it – Sabic pointed out and added that, if a new law on personal data protection, the kind of which he had proposed, had been adopted, it “would have brought us considerably closer” to the adopted regulation.

Companies that deal in data processing – handlers and processors – are those for which the rules are now becoming stricter. Handlers will be able to have only those personal data that are absolutely necessary, as the processing of any piece of data means responsibility for it. In order to be able to perform data processing activities, processors will need to sign special agreements with handlers, such as will clearly define the obligations and the responsibilities.

Equal protection for all citizens

One of the goals of the GDPR is for the level of personal data protection to be equal throughout the EU. The organs in charge of personal data protection will be given new authorities, but also new obligations.

Keeping in mind the increasingly frequently posed question of whether privacy even exists anymore, considering the amount of information we leave on social networks, surfing the internet or making online purchases, it was pointed out at the gathering that this right had not disappeared and that it is these state organs that serve to protect privacy and personal data, and not to violate them.

The way we treat data will largely determine our personal safety and influence the development of digital economy. That is one of the conclusions of the gathering attended by, among others, representatives from the region – Bosnia and Herzegovina, Macedonia, Moldova, Slovenia, Croatia and Montenegro.

As said in the KPMG report, an example of good practice in systems of personal data protection in Serbia are banks, which have been targeted by high-tech crime, leading them to, for example, implement special tools enabling them to identify unauthorized access and usage of personal data.

In order to adapt to new rules, the marketing agency Ipsos has undertaken many activities in line with the GDPR. As the company announced, Rupert van Hullen was named Chief Privacy Officer (CPO) and manager of Data Privacy Officers (DPO) on March 1, 2017.

Also, as they say, Ipsos uses techniques of anonymization of personal data of survey subjects as part of the data collection process, so they can be only accessed by field teams and then only to the extent to which it is necessary, whereas access to employee personal data is strictly limited to the HR management staff. Ipsos implements various types of encryption on employees` laptops, whereas subcontractors for the processing of personal data are picked based on their ability to act in line with Ipsos` demands regarding the protection of information.

Katarina Stevanovic

EUROPEAN COMMISSION Bruxelles

Vlada Republike Srbije

KPMG d.o.o. Beograd

Ipsos Strategic Marketing doo Beograd

Ministarstvo pravde Republike Srbije

Poverenik za informacije od javnog značaja Srbija

European Commission

GDPR

General Data Protection Regulation

personal data

abuse of personal data

protection of personal data

data collection

EU citizens

European Union citizens

EU residents

doing business in the EU

personal data protection

Center for Advanced Legal Studies

Law on Personal Data Protection

Marija Milojevic

Sasa Gajin

Digital Day

consulting companies

cloud

personal data storage

personal data sharing

Rodoljub Sabic

data processing

data processors

data handlers

online purchase

social networks

high tech crime

Rupert van Hullen

CPO

Chief Privacy Officer

DPO

Data Privacy Officers

online anonymity

anonymization of personal data

data encryption

protection of information