Changes in GDPR in Slovakia

Companies will have to carry out data protection impact assessments more frequently, for example for camera systems, cloud solutions, biometric data, or tools based on artificial intelligence. A DPIA will also be required when processing is directly required by law.

Companies must prove that they are effectively protecting data. Encryption, access control, two-factor authentication, incident monitoring, and clearly defined procedures for how an organization should respond to an incident are expected, which now will have to be reported electronically and within shorter time period.

The responsible person will play a more active role. The range of organizations that must have the person is expanding, and new tasks are being set for them, such as overseeing risk assessments, conducting regular internal audits, and participating in incident resolution. For many smaller companies, this may mean the need to use an external expert

The regulation will also include new criminal provisions on digital forgery (deepfakes), which establish a new criminal offense focused on the unauthorized creation and dissemination of realistic-looking audio/video content created by artificial intelligence. Companies will have to consider the risks of reputational attacks via AI and have internal policies and crisis scenarios in place for such situations. In digital communication and marketing with AI content, consent, licensing, and authenticity must be addressed even more thoroughly.

Impact on companies and organizations

• Regular updates to internal personal data protection policies and security protocols.
• Investment in modern IT and security systems for data protection.
• Employee training with an emphasis on GDPR implementation and incident prevention.
• Thorough record-keeping of consents and documentation of personal data processing.

The change in legislation will also poses a challenge for data transfers to and from third countries, where increased protection standards will have to be complied with under the new legislation.

HR agenda, attendance, home office tools, and GPS vehicle tracking will require clear legal bases for processing, information obligations, retention regimes, and technical measures.

Companies will be required to report security incidents electronically within a short time and to cooperate with the Office in investigating and remedying the consequences.

Penalties for GDPR violations will remain severe, with maximum sanctions of up to €20 million or 4% of a company's global annual turnover. The Office will carry out increased controls, particularly in relation to new legislation and the digitization of processes.