On 25 May 2018, the General Data Protection Regulative (GDPR) will enter into force and apply in all 28 EU member-states. GDPR imposes much stricter rules for personal data processing in comparison to current regulations, as well as penalties which can be characterized as draconian – for the breach of certain GDPR provisions, a maximum monetary penalty of up to 4% of global annual company’s turnover is provided, or 20 million EUR, whichever of the two is higher.
The question is, how does GDPR, as EU’s regulation, influence the business activity of Serbian companies? Namely, GDPR stipulates extraterritorial application in cases in which a Serbian company processes personal data of EU’s citizens. In the era of data economy and industrial digitalization, it is not hard to imagine that data processing will, indeed, take place, especially by companies which perform their business activity on the internet. GDPR will apply to such companies, meaning that those companies cannot afford to stay unprepared for 25 May 2018. Otherwise, Serbian companies processing EU citizens’ personal data in any way may face the penalties and reputational risks which can jeopardize their businesses.
GDPR, stipulates, inter alia, an obligation of a company to appoint a Data Protection Officer in certain cases. Therefore, certain companies will need to engage a data protection expert, but this is certainly recommended for all of other companies that process personal data as described. Additionally, companies will need to implement stricter organizational and technical measures for protection of personal data integrity (encryption, back-up etc.), as well as make privacy assessments, and generally factor in data protection issues when preparing their business plans. Companies that process personal data will have an obligation to report the personal data breaches to competent authorities and to inform citizens about such breaches of their personal data.
The Serbian Ministry of Justice recently published a draft of the Personal Data Protection Bill and a public call for participation in public hearings which will last from 1 December 2017 to 15 January 2018. This draft largely entails provisions of GDPR, i.e. imposes considerably stricter criteria for personal data processing on the national level.
In light of the above events, it is extremely important that Serbian companies undertake steps to prepare for the beginning of GDPR’s application as soon as possible, which entails the preparation of internal analyses of processed personal data already being processed or which are to be processed in the near future, and harmonization of internal policies and practices not only in legal, but also in the technical and organizational sense. Also, it is of utmost importance that companies pay attention to education of their employees in order to acquaint them withobligations and consequences of GDPR.