As the European Union gets ready to enhance data protection for all citizens under the General Data Protection Regulation (GDPR), small and medium-sized firms in Romania are still struggling to comply with the new rules that will come into force on May 25.
Firms processing personal data on a large scale for business purposes will feel the biggest impact, whether they are active in banking and financial services, telecom, retail or pharma. The public sector will also have to have its systems in place by the end of this spring.
“Companies should remember: personal data belongs to individuals and they (may) have lent it to the company for business purposes. Just like any loan, they can revoke that right at any time,” Robert Stoicescu, manager, risk assurance solutions at PwC Romania, the professional services firm, told BR.
GDPR compliance will mean that companies have to change privacy notices, and amend agreements with individuals and service providers, which will also require new investments in technology.
“The new concepts introduced by the GDPR (e.g., privacy by design, privacy by default, data portability, data protection impact assessment, data protection officer, record keeping obligations) will have a significant impact as they affect all internal processes and related timing. This is also seen in companies’ decision-making and procurement stages, which may be prolonged as a result of the need to include express data privacy assessment steps in the overall process,” Roxana Ionescu, partner and head of data protection at law firm NNDKP, told BR.
Furthermore, the new rules will also have a direct impact on firms’ infrastructure, as all applications, databases and related systems need to work in the new framework, added the lawyer.
For instance, data breach notifications will become mandatory in all member states, and must take place within 72 hours of the breach being discovered. Individuals will also have the right to ask for their data to be erased.
“In Romania, we can say that data privacy has not yet been the biggest concern of companies’ management boards. Currently the mindset for data privacy is in its early stages,” said Stoicescu of PwC Romania.
What should companies know?
Firms facing delays in upgrading their data infrastructure to comply with the new rules risk paying hefty fines which could even undermine their business footing and drag them into costly lawsuits. And the challenge is that market incumbents still have fairly low awareness of the GDPR, although it preserves core elements from the Data Protection Directive 95/46/EC, says Andrei Georgescu, partner at law firm Suciu Popa.
“The supervisory authorities enjoy fairly extensive discretion to apply one or more measures, from issuing a warning or imposing a temporary or definitive ban on processing personal data, up to imposing fines of as much as EUR 20 million or 4 percent of the total worldwide turnover, depending on the circumstances of each individual case, or even both,” Georgescu told BR. In contrast, fines under current Romanian legislation do not exceed around EUR 22,000.
Some larger companies might even have to hire Data Protection Officers (DPO), who are experts in their field and who will report directly to top management.
Although the average costs of Romanian companies meeting the rules resulting from the GDPR haven’t yet been crunched, at international level the investment requirements have been calculated. For instance, members of the Fortune 500 will spend a combined USD 7.8 billion to avoid falling foul of Brussels’ GDPR, according to estimates compiled by the International Association of Privacy Professionals (IAPP) and EY. This amounts to an average of almost USD 16 million each, says the Financial Times.
Meanwhile, SMEs in Romania, which create most of the country’s jobs, do not have access to any measures or programs for information and advice regarding the GDPR, according to the National Council of SMEs in Romania (CNIPMMR).
The organization says that SMEs will have to spend more, be it on staff or legal advice, to make sure they comply with the law.
“Our expectation is that large firms or those processing large amounts of personal data will be more aware and more prepared to implement the changes brought about by the new rules. The biggest challenge is for small and medium companies that need to be aware of the data sets they collect and process, which they have to protect,” Valerica Dragomir, executive director of the Employers’ Association of the Software and Services Industry (ANIS), told BR.
There might be additional challenges for technology companies, as suppliers of solutions for third parties, as they have to create systems capable of solving fast any requirement under the GDPR.
“Against this backdrop, the concepts of ‘privacy by design’ and ‘privacy by default’ become extremely important, because they are needed for the construction of processes and applications to respect GDPR principles right from the start,” said Dragomir.