GDPR standard cena Srbija

GDPR

The new challenges in personal data protection are the result of technological development and globalization. The volume of personal data being collected and exchanged has significantly increased in recent years. Their misuse led to the establishment of a new legal framework, the General Data Protection Regulation (GDPR). This regulation is the result of decades of efforts by the European Parliament and the Council of the European Union, and it came into effect on May 25, 2018. It applies to all EU member states and the European Economic Area (EEA). However, even if an organization is not in the EU, if it processes personal data of EU citizens or residents, or offers goods or services to EU citizens, the GDPR applies to that organization.

The GDPR imposes strict penalties on organizations that violate its security and privacy standards, with fines that can reach millions of euros. It also regulates the movement of personal data outside the European Union. This is only permitted in certain situations, namely if the countries meet one of the special conditions:

  • The country is on the list of countries for which the European Commission has determined there is an adequate system for protecting personal data.
  • There is specific approval from the relevant EU data protection authority for data export.
  • There is explicit consent from the individual whose data is being processed.
  • The transfer is necessary for contract execution, protection of vital interests, or for public interest reasons.
  • There is another mechanism that proves appropriate protective measures for the transfer, such as the adoption of Binding Corporate Rules (BCR), signing standard data protection clauses, adopting a code of conduct, or certification.

Law on Personal Data Protection in Serbia

To align its legislation with the EU framework on this issue, the Republic of Serbia passed the Law on Personal Data Protection on November 13, 2018 (“Official Gazette of RS” No. 87). More details on the Serbian law can be found here: Link to the Law.

If your organization processes data, you must do so in accordance with the seven principles of protection and responsibility specified in Article 5 of the Law on Personal Data Protection:

  1. Data must be processed lawfully, fairly, and transparently.
  2. Data must be processed for legitimate purposes, explicitly stated to the data subject at the time of collection.
  3. Only the minimum amount of data necessary for the stated purposes should be collected and processed.
  4. Personal data must be kept accurate and up to date.
  5. Personal data can only be stored for as long as necessary for the specified purpose.
  6. Processing must ensure appropriate security, integrity, and confidentiality (e.g., through encryption).

Similarities and Differences Between GDPR and ISO 27701 Standards

The General Data Protection Regulation (GDPR) is mandatory for organizations that deal with legal or physical entities from the EU, while ISO 27701 refers to voluntary certification of personal data management systems. Furthermore, GDPR includes the right for consumers to have their data erased and to control how their data is shared with third parties, which the ISO 27701 standard does not specifically address.

According to the regulation, organizations must notify supervisory authorities of a personal data breach within 72 hours of discovery. The key difference is that GDPR requires organizations to notify consumers (or data subjects) when the breach is likely to result in high risks to their individual rights. The financial penalties for non-compliance with cybersecurity and data processing requirements under the GDPR can be as high as 4% of the organization’s global revenue. With such high stakes, companies cannot afford to neglect the appropriate risk assessments and data protection offered by ISO 27701.

By obtaining certification, an organization can ensure compliance with GDPR and reduce the likelihood of costly penalties. The certification treats personal data as information security assets. As such, these assets are subject to limitations regarding storage, retention period, collection, and access, which are also GDPR requirements. While GDPR regulates how personal data is collected and processed, the standard provides guidelines on how the collected data can remain confidential and secure.

Data privacy regulations are becoming increasingly complex, with new provisions and protections added every year. Looking ahead, organizations that want a strategic advantage over competitors will need to integrate security standards into every aspect of their operations. In some cases, organizations are required to appoint a Data Protection Officer (DPO), which we will discuss separately in future blog posts.