The abbreviation GDPR has been one of the most popular terms among entrepreneurs in recent months. According to Google Trends, interest in the topic of personal data protection began to grow at the beginning of this year and has been steadily increasing ever since. Training offers, free webinars, ministerial guides and even attempts at “GDPR” fraud appear every day in Google results and social media.
Source: https://trends.google.pl/trends/explore?q=rodo&geo=PL
What is the GDPR phenomenon?
GDPR is an EU regulation on personal data protection that will come into force on 25 May 2018. The document introduces fundamental changes in the approach to personal data protection throughout the European Union. The text of the GDPR is general and universal, so it can be continuously adapted to technological changes. The provisions that clarify the provisions of the regulation will be included in the new Polish Personal Data Protection Act, which is currently at the first reading stage in the Sejm (data as of 4 May 2018).
The main objectives of the changes being introduced are:
- Harmonisation of regulations across the European Union
- Protection of personal data at every stage of solution design and data processing
- Increasing customer confidence in businesses, e.g. online shops
- Increasing awareness of personal data among citizens.
The European Union estimates that the introduction of a single common legal document regulating the protection of personal data will save around €2.3 billion. (source: http://ec.europa.eu/justice/smedataprotect/index_en.htm)
Whose data does the GDPR protect?
The protection applies to all natural persons whose data is processed within the European Union. It is worth noting that even the mere storage of personal data constitutes processing. Let us not be misled by the impression that data processing only takes place on the internet or in IT systems. Data protection also covers data from traditional paper records, such as HR documents or even business notes.
The right to be forgotten and exceptions to the rule
“The controller who has made personal data public should be obliged to inform controllers who process that data to remove links, copies and references to that personal data.”
GDPR, Article 17(2)
The GDPR grants data subjects numerous rights, including the so-called “right to be forgotten”. This means that a newsletter subscriber may request the immediate deletion of their data from the system. It will be easiest to request the deletion of data processed on the basis of consent. It is more difficult on the basis of contracts, because there are situations where we will be forced to retain data even if its owner would like us to delete it. For example, an employer must retain personnel documents for 50 years, and a seller must retain them for the duration of any claims, complaints or tax audits.
Who will be affected by the new regulations?
In practice, the GDPR will apply to all businesses. However, in Poland, there are plans to make things easier for companies with fewer than 250 employees. Mainly, the requirements for keeping records and documentation are to be limited.
Personal or domestic activities are excluded from the GDPR, so, for example, saving names, surnames or numbers in a private telephone or notebook will not constitute data processing. The GDPR will also not cover the data of deceased persons or the data of legal persons (e.g. addresses of companies, associations).
GDPR principles
- Lawfulness, fairness and transparency – We only process data in a lawful manner, with a legal basis. We provide fair information about the rights of data subjects.
- Limited purpose – We process data only for specific and legitimate purposes. We do not collect data “just in case”.
- Data minimisation – We collect data only to the extent necessary for a specific purpose, e.g. when collecting newsletter subscriptions, we should not collect any data other than the email address and possibly the first name.
- Accuracy – The data processed should be accurate and up to date.
- Storage limitation – Data should not be stored for longer than necessary. Data must not be stored without a clear purpose.
- Confidentiality – Protection against leakage, unlawful processing, destruction or damage. This is a particularly important point for all businesses with websites or electronic data registers.
- Accountability – This point summarises the previous six. When adapting a company to the new regulations, we must have a basis for proving and demonstrating how we comply with them. Reliably prepared documentation and procedures will help.
Consent and contract
Consent to data processing is one of the legal bases for processing – but not the only one! Consent to data processing does not need to be obtained in particular when processing is necessary for the performance of a contract – e.g. an online shop sells books by mail order . In this case, it does not need to ask for consent to process data. Data processing will be compliant with the GDPR as it is necessary for the performance of a contract (sale and delivery of a product).
Reporting breaches in accordance with the GDPR
In the event of a personal data breach, e.g. a data leak, there is an obligation to report such an incident within 72 hours. If we admit to the mistake ourselves, we can count on mitigating circumstances, e.g. waiver of penalties, especially if the breach was not caused by obvious negligence. Therefore, it is worth developing appropriate procedures to respond quickly if necessary.
Why we fear the GDPR – a few words about… penalties.
Za ochronę danych osobowych zawsze odpowiada The personal data controller is always responsible for the protection of personal data, which in most cases will be the company that provides services or goods.
The GDPR introduces high, deterrent penalties. Violations will be divided into minor (e.g. lack of activity logs) and more serious (e.g. processing data without a legal basis or conducting so-called hidden recruitment). The upper limit of the penalties imposed may range from 10 to 20 million euros or 2-4% of the total annual global turnover (from the previous year). The amount will depend on the form of the violation. It is worth mentioning that conducting so-called hidden recruitment (where the identity of the employer is not disclosed) will be subject to a heavier penalty. We mention this because, unfortunately, it is a common practice. The GDPR, however, requires that information about the data controller be made public!
Summary
When preparing for the GDPR, there is no need to panic. A well-thought-out action plan and reliable documentation are the keys to success. If you have not done so yet, we recommend starting with an audit of the current state of protection in your company: whether and what data you process, whether you have the right to do so, whether the data is well secured, and whether you are able to identify who has access to it. It is also important to ensure that our systems, computers and mailboxes are protected with strong passwords. Let us not forget about mobile devices with company mailboxes or applications containing personal data connected to them. The regulation does not provide specific guidelines on how to do this, except for one: effectively!
