But if an IT project is integrated into the chain of personal data processors (APIs of social networks are connected, third-party obligations are outsourced, etc.), and some of the links in the chain are faced with information leak, all participants in the personal data transmission chain are subject to liability. Identified violations are subject to fines as high as 20 million euros imposed directly or by recourse.
To comply with the Regulations and avoid iussues and fines, at least the following documentation should be developed for an IT project:
- Publicised privacy policy compliant with GDPR;
- Internal policy for the protection of personal data;
- List of actions with personal data
- Policy for responding to security flaws;
- Form of notification of the supervisory authority about personal data leak;
- Form of notification of the subject about personal data leak;
- Data retention policy.
Unfortunately, there is no universal template for creating the described documentation. The level of detail depends on the frequency of processing of personal data, volume, and nature.
Projects in which data is continuously processed require a full-time Personal Data Officer (DPO) and a Permanent Representative in the EU (DPR), who will contact with supervisory authorities and take responsibility in case of violation of EU legislation.
The development of documentation in accordance with the requirements of the Regulation, as well as internal practices and policies, requires deep legal analysis, and their implementation requires a technical audit. Also, in the process of processing personal data, it is necessary to adhere to the principles of processing (legality, transparency, data minimization), which also requires legal assistance.
To avoid problems with personal data, we recommend contacting VigoLex team of lawyers from the first day the IT project enters the market. Solving problems afterwards will be much more difficult and expensive.