Keep calm, don´t panic, says Commissioner Jourová

Every entrepreneur should consider whether there is a risk of data leakage in his or her business. Companies that largely trade and sell data and collect data systematically about specific people need to take appropriate measures under the GDPR regulation and ask for the consent of their clients.

The regulation does not apply to specific sectors. What matters is the systematic collection of personal data. GDPR is not a revolution but an evolution of the rules that already exist based on the EU directive, respectively on national laws regarding personal data protection. The revision of existing rules has been motivated by the digital transformation. According to Jana Břeská from the Czech professional association for Internet development there are new measures which will mainly concern the online world characterized by small start-ups of only one or two employees. The regulation newly concerns IP addresses and online identifiers. GDPR will be a challenge for small companies as there are practically no exemptions for SMEs unless they do not process large amounts of data. The only exemption for SMEs who do not systematically process the (risk) data concerns the obligation regarding the record of processing activities.

Tereza Šamanová from the Confederation of Industry Czech Republic says, that it will be applied in only a few cases. Appointment of a data protection officer within a company will be another challenge, she says, especially for small companies who can have a limited capacity to judge the quality of external service providers in this regard. She also stresses that there is no legal EU or national certification of data protection officers. Still, the Czech legislation is coming. Till today, only a few Member States provided necessary national legislative changes regarding the regulation. The regulation is directly applicable but national rules can be helpful for better interpretation and legal certainty for its users. Věra Jourová, the EU Commissioner responsible for GDPR, promises to be tough on state authorities and call on governments to quickly adopt the necessary legislative changes. The regulation is to be generally applied but Jourová says there is still room for flexibility. The Member States can introduce special exemptions for state authorities. Regarding the indicated fines in the regulation, Jourová explains that they should be applied in a reasonable manner.