The Romanian Association of Privacy and Data Protection Specialists (ASCPD) launched in 2019, the first research study which aims to evaluate the awareness among private individuals about the importance of their personal data. Among the conclusions we note the idea that the Romanian people understood how important their personal data and their rights are, increasing the pressure on companies and public institutions. We must keep in mind that most data operators in Romania attempted to comply with the GDPR principles only at a formal level and they may face a wave of lawsuits in the future. A national and unified public interest message is needed to remind operators and individuals the importance of personal data.
Key words: awareness, data value, formal compliance, data protection officer, professional challenges
Romanian study group description:
• 1191 respondents from 06.02.2019 to 28.02.2019
• 59.4% female and 40.6% male
• 57.7% between the ages of 30 and 50 years old, 28% ages between 18 and 30 years old and 14.4% over 50 years old.
• Education level (40.4% college, 23.2% college post-graduate studies, 21.3% high school, 10.5% high school post-studies and 4.5% primary education)
• 83.8% with urban residence and 16.2% with rural residence
• With stable residence in all 42 counties of Romania
The context and premise from which the development of this ASCPD study has been initiated:
• Since May 25, 2016 EU Regulation 2016/679, known as the General Data Protection Regulation (GDPR), basically states that the information held by a company or institution about private individuals are personal data and cannot move freely and unconditionally. These data must be protected, and the responsibility for their protection lies entirely with the data controllers.
• The General Data Protection Regulation is very strict and provides severe sanctions for any deviations. Experts say that GDPR Regulation introduces a real revolution in this field in terms of impact, by a smooth functioning of all small and large business, from Europe and beyond.
• The General Data Protection Regulation virtually applies to any business regardless of the activity field, the concept of “personal data” becoming so wide that any company working with such data – whether it’s employee’s, client’s or patient’s personal data – instantly becomes a subject of the GDPR Regulation.
•The European Union’s grace term for compliance with the stated principles and the explicit obligations has been complied with only by a small percentage of Romanian operators, many institutions trying to find a formal solution while motivating the lack of a budget to justify the rapid selections for mandatory trainings and nomination of the Data Protection Officers.
• The lack of education of people and specialized personnel and awareness of the importance of personal data, can also be explained by the lack of an impact information campaign that aims to increase the knowledge of all individuals on identifying personal data and how to protect it, implicitly and instinctively.
The individual has become a challenge for the entire Romanian data protection system because, by lack of education, the whole professional body faces unjustified and insufficiently documented requests for selective information deletions or unjustified corrections in the documents. These requests certainly will not be settled in favor of the data subject there being several specific regulations regarding the retention period and possibilities of restricted and conditional access. The guardian of privacy and personal data protection mechanisms remains the Data Protection Officer, a newly emerging profession, which is probably facing the greatest professional challenges because of the general nature of the General Data Protection Regulation (EU) 2016/679 and the lack of unitary benchmarks on its interpretation and implementation.
According to previous studies, Romania’s population today has an increased level of access to technology, often using the Internet, with a surprisingly high level of internet information (Dr. Google phenomenon). However, at the declarative level, 76% respondents confirmed that they do not trust the news and information received through social media networks and, on a confidence scale from 1 to 10, they are assigning a maximum 5.
Respondents have a low degree of awareness of all types of personal data but nevertheless have a strong sense of ownership, 97.3% claiming to be informed if data is stolen or lost and 87.4% confirming the importance of these data for them.
67.9% say it is difficult to protect their own personal data, while 24.7% have not yet heard of the Romanian Data Protection Authority (ANSPDCP)
47.1% believe they are “partially” informed about personal data protection rights, 10.8% claiming they are not informed at all.
The degree of awareness over the types of personal data defined by the new General Data Protection Regulation with the phrase “ANY information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly”, is low, fact explained by the lack of informative campaigns.
Top 10 Personal Data identified by the respondents ( personal identification number (CNP) 98.81%, Financial Data (wage, bank account) 97.71%, Medical Data – Health Information 95%, Fingerprints 94.92%, Home Address 91.36%, Information about sexual life or sexual orientation 90.18%, Date and Place of Birth 88.65%, Phone Number / Email 87.04%, Photos 84.76% and Online-IP Identifier 81.88%.)
Top 10 personal data that were not identified by the respondents (Things they do (hobbies, sports, places they visit) 48.94%, Friendship List 48.77%, Political Views 48.01%, Affiliation to Organizations (NGOs, trade unions) 47.93%, Preferences 44.20%, Occupation / Work 38.10%, Websites they visit 36.07%, Religious confession 34.38%, Criminal activity (criminal convictions, crimes, amnesty) 27.27% and images captured by surveillance cameras 22.02%.) This category of data, unrecognized as personal data, contains special categories, considered by the GDPR Regulation (EU) 2016/679, as being sensitive data and must be protected by additional measures.