Best practice

How to ensure a long-term personal data protection strategy

  28. 01. 2019

Today, January 28th, we commemorate Personal Data Protection Day in Europe. The day is intended to spread awareness of the importance of protecting personal data. 

Despite the fact that, thanks to the GDPR, public awareness of the importance of personal data protection and privacy improved last year, there are still considerable challenges in this area. In addition, the world was rocked by a number of scandals concerning the abuse of individuals’ personal data - scandals which further damaged not only numerous companies’ reputations, but our trust in their handling of personal data.

In Europe, the first penalties were imposed

In the months following the entry into force of the GDPR, regulators in many EU countries acted only to educate companies on its enforcement, issuing numerous guidelines while refraining from applying penalties; now, however, things are changing. The first penalties have already been imposed on the European market. One of the first known cases was a 400,000 EUR fine imposed on a hospital in Portugal for GDPR violations. In Austria, a 4,800 EUR penalty was given to a casino because of an improperly installed security camera, and the German social network had to pay 20,000 EUR in penalties for a security breach that compromised more than 1.8 million user names and user passwords.

Due to increased public awareness, the number of requests submitted to information officers has also increased, meaning that this year, data protection authorities will certainly be even more active with regard to supervision and penalties.

varstvo osebnih podatkov

Ensuring personal data protection is a living process

If you made only the most important personal data protection adjustments before May 25th, 2018, it’s now time to define a long-term personal data protection strategy that will ensure consistency over the long term. Personal data protection is not a state that we achieve ‘once and for all’, but an ongoing, living process which must be constantly monitored, optimized, and supervised. 

A systematic approach is key

A comprehensive approach to personal data protection requires a thorough analysis of the situation from the perspectives of law, information security, compliance, and business process quality. Therefore, a strong knowledge of Slovenian and European legislation is needed, as is experience in the field of personal data protection and processing.

A long-term strategy consists of four steps:

  1. planning, including reviewing personal data collections, identifying risks, and preparing actions, policies, and the relevant agreements,
  2. implementing personal data protection and processing measures,
  3. verifying the implementation of such measures, including with regard to compliance, and
  4. taking action in the event of irregularities, and preventing their recurrence.

In addition to a clearly defined strategy, the Data Protection Officer is also key to ensuring the compliance of personal data protection is also the Data Protection Officer (DPO). The GDPR stipulates that public authorities, companies, and institutions involved in the systematic and regular processing of personal data or the processing of sensitive personal data appoint a Data Protection Officer.

If your company doesn’t have the relevant legal expertise, as well as the relevant knowledge and experience in the field of information security, or if your employees are overwhelmed with their other obligations, you can appoint an external DPO. In doing so, you will independently ensure that your company’s personal data processing and protection will be in compliance with the relevant regulations.

When deciding on systematic personal data protection regulations, you shouldn’t be afraid of serious penalties; above all, you should be aware that transparent business practices and responsible personal data management provides companies with a competitive advantage. By deciding on a long-term strategy and an integrated approach to personal data protection, you can significantly reduce risks, improve your reputation, and build customer confidence.