Employers in Hungary have until May 25, 2018 to comply with the rules of the General Data Protection Regulation. While that may seem some way off, experts warn that, due to the various types and large volume of data, this is a highly complex task.
Even though there seems to be plenty of time left until the Regulation (EU) 2016/679, better known as the General Data Protection Regulation (GDPR), comes into full force, companies had better start preparing to take appropriate measures for timely compliance.
As PwC experts pointed out at a press conference on the issue, the process promises to be very time-consuming, with phase one being the assessment of existing data assets.
Employers need to identify what kind of personal data they store and use. The legal basis and purpose of such activities must also be determined, with the former being of particular sensitivity. In the future, the lack of a proper legal basis for storing and using personal data will trigger the legal consequence of the deletion of that data.
Companies will also need to identify exactly which personal data should be managed by employers, for how long it should be stored, and who will have access to it.
“Once the decisions are made that are necessary for future data management, the relevant internal regulations must be set up that describe clearly the applicable data management rules to employees,” says László Szűcs, legal specialist at Réti, Antall & Társai PwC. “Workers must also be informed about their rights concerning data deletion and the management of incorrect data.”
As the expert highlights, in the case of certain types of data management, totally new rights are enshrined in the GDPR for those concerned compared to the current regulation. Since the employment relationship is quite complex from a legal standpoint, employers must manage a large number of various types of personal data.
It is impossible to draw up separate data protection regulations for all kinds of personal data or data management practices, so a coherent framework regulation is recommended that applies to the totality of employee personal data.
The framework regulation can then be supplemented by annexes on laptop use, GPS records or health records in relation to positions meant for rehabilitation purposes.
“Standardizing of regulations is possible up to a point, yet they need to be based on individual types of data management procedures applied by employers,” says András Csenterics, a legal specialist in data protection and data security at Réti, Antall & Társai PwC. “In this regard, we can barely talk about two identically operating employers.”
After the regulations have been drawn up, employers must make sure that workers become acquainted with the new rules on data management. The most effective way to do so is training where data management rules summarized in the regulations must be shared.
In addition, a data protection officer needs to be appointed to assure that data protection rules are being observed, and companies with more than 250 employees also have the obligation to set up a register documenting all data management records.
Finally, the data security compliance of certain IT systems will also be subject to review, and other complex tasks will have to be dealt with as well, such as deletion of illegally managed data or preparing the conditions for data mobility.