GDPR: High Season for Preparation

  • December 05, 2017
  • Levente Hörömpöli-Tóth
With the applicability date of the General Data Protection Regulation (GDPR) of the European Union due in about half a year, the business community needs to speed up measures for timely compliance. A recent conference hosted by the American Chamber of Commerce in Hungary (AmCham) provided a platform to address the most important aspects related to the preparatory phase.

The following article will also be published in the December issue of the BBJ and Journal. 

A recent survey by AmCham found that 78.7% of its members believe that the core business of their companies are affected by GDPR. This is yet another indication that preparation for the new data protection legislation is gaining in importance, with the date of implementation approaching quickly.

Dr. Gábor Orosz, chairman of AmCham’s Regulatory Committee highlighted in his opening remarks that B2B challenges are often ignored because the focus tends to be on consumers in terms of data issues. “However, a large number of the members of our organization act in the B2B sphere, so this aspect must be borne in mind as well,” he said.

Additionally, data flow between U.S. and Hungarian companies is key, so it is a matter of competitiveness whether data can be transmitted freely across borders. “The adjustment of relevant laws is therefore absolutely imperative so that local companies won’t lag behind in the global competition,” concluded Orosz. Data protection reform reaches well beyond the scope of the GDPR, though, warned Dr. Attila Péterfalvi, President of the National Authority for Data Protection and Freedom of Information (NAIH) in his keynote speech. As a matter of fact, even if GDPR is the main pillar of the newly established regime, there are also changes in the sphere of criminal law to consider. “The ultimate goal here is to respond to digital development and set up a uniform regime of legal protection across the European Union,” said Péterfalvi.

Mark the Date

He further emphasized that the period for preparation will end on May 25, 2018, which marks the date of the new EU legislation becoming applicable. The result should be a more consistent and solid legal framework, smoother implementation, elevated legal certainty and a strengthened right to information self-determination. Most importantly, those involved in data processing at legal entities must be aware what type of data they deal with, and whether their data protection policies comply with the new regulations.

Another novelty is the possibility to issue a code of conduct, which will serve as a substantial tool based on self-regulation to ensure enforcement of compliance. However, it remains to be seen to what extent it will be bent to the needs of different industries, the expert added.

Simultaneously, the main guiding principles of the legislation are the protection of natural persons, free flow of personal data and cooperation between authorities. Whilst the powers of those authorities will change partially and be expanded, the European Data Protection Board and the European Court of Justice will assume a crucial role in dispute settlement, and their opinions will also contribute to establishing a uniform case law.

Péterfalvi also stressed the importance of having standardized penalties across the EU. “The idea is not to impose maximum penalties of billions of forints, though,” he noted. “NAIH will continue to function as a service providing authority.”

An extended data breach incident reporting obligation will be introduced under the new regime, where the foreseen self-reporting obligation might cause some concern. “In this respect, a climate of mutual confidence will be important,” noted Péterfalvi. It was also pointed out that all parts of an entity processing data should be made aware of the importance of incidents; such matters cannot be treated as issues that concern only the legal department.

Awaiting guidelines

The direct applicability of the GDPR is only one of many legal obligations the Hungarian legal system must fulfill, Deputy State Secretary of the Ministry of Justice Dr. László Péter Salgó highlighted. Apart from that, the relevant EU Directive 2016/680 on the criminal law implications of the regime must be transposed as well.

In this regard, Act CXII of 2011 on the right to information self-determination and freedom of information, colloquially referred to as the “Info Act”, bears significance; apart from the directly applicable GDPR, it is the Info Act that will need to be invoked, in particular with regard to criminal law-related data processing issues.Unfortunately, the long-awaited guidelines from NAIH that would certainly make the life of corporations easier are still being prepared. “Indeed, we are delayed in providing them, but the national rules have not been completed yet,” explained Péterfalvi.

“NAIH will provide information on its website as soon as possible.”

Drafting a legal commentary can also get started only after the relevant bill has been tabled for vote in Parliament, which hopefully won’t be torn apart by individual petitions. “The bill should be ready for adoption by February and plenary adoption by the Parliament is foreseen in the spring,” Salgó said in an overview of the legislative schedule.

GDPR Speed dating

The event also provided a unique opportunity to meet GDPR solution-providers during speed dating sessions. Participants could meet the following experts: 

  • Dangers of visual theft - 3M Hungary: Róbert Engi and Skrla Olessia 
  • What a good GDPR project? - CMS Attorneys at Law: Dr. Dóra Petrányi and Dr. Márton Domokos 
  • Practical data protection audit and education - Szecskay Attorneys at Law: Dr. Zoltán Kovács 
  • Technological solutions for GDPR - VirtDB: András Czermák