Starting May 25, 2018, we will witness a European Revolution on personal data processing, including the entry into force of the EU Regulation 679/2016, including the General Data Protection Regulation, or, in short, the GDPR.
Until now, the processing of personal data was governed in particular by Law 677/2001, here are new European rules, with direct application and without the need to develop complementary national legislation.
The implications of the GDPR implementation and the magnitude of the application effects will be unprecedented, affecting the entire current way of handling personal data.
Leaving aside the application of GDPR in the economic, business and state institutions, we will focus on the implications in the NGO environment where there is a huge amount of personal data that in most cases is managed in totally inappropriate and risk- .
GDPR comes with new regulations on the storage, processing and transit of personal data within and between EU Member States. We will mention only a few essential aspects with applicability in the NGO environment and the possible sanctions in case of non-compliance with the norms:
The target person, whether volunteer, employee, collaborator, beneficiary, donor, has to give its explicit consent to the way personal data will be processed;
The data subject must be informed of his or her rights, updating, modifying, deleting personal data, as well as the right to consult his / her personal data whenever he / she needs;
The target person should be explicitly informed of the ways to oppose the processing, as well as the legal means of attack;
The person concerned has the right to be "forgotten", that is, to remove or anonymize his or her personal data, so that the identification of the person is impossible;
The personal data processing entity must ensure safe data storage conditions, following new standards that may imply, as the case may be, the upgrading of the IT system and / or the management of personal data. From which we infer that there will be implementation costs at the legal entity level;
The processing entity will have to report any incident related to the personal data management systems. Eg: computer attack, intrusion, data leakage, etc .;
The processing entity will need to organize its data in such a way as to ensure its portability. Specifically, the data subject may request the export of data in a generally agreed format for import / transfer to another system. Ex: Excel file, CSV file, database, etc.
In some cases, it may be necessary to hire or train a person to make the office of Personal Data Security Officer, with all his responsibilities under the law.
In the web domain, users / visitors to the organization's site must explicitly agree to the processing of personal data, even if it is only the email address used to create a user account, or in a form contact.
Additionally, pre-filled fields will not be accepted, such as Newsletter / News subscription bifa. Such bays will be placed by the user, thus excluding the risk of inadvertent passage over a pre-filled field. Also valid for accepting the terms of use, legal terminals, cookie policy, privacy policy, etc.
Also in the web domain, the site owner has to demonstrate that he / she has security measures regarding the storage and processing of personal data, the appearance of the site and the entity that hosts the site. So the site owner should contact their host and obtain a statement as to how the personal data stored in the site and / or database / databases are secured.