GDPR is a consensus, an answer and a challenge
The principles of privacy protection in the era of smartphones, life in virtual reality and the big data phenomenon used to be determined by laws dating back to times when Google did not exist and Yahoo had only just been founded. The only mobile telephone network in Poland at the time had 35,000 subscribers, who used Nokia 150 models. While reality was galloping forward, the law was stagnating. GDPR had to happen — affirm Małgorzata Jankowska-Blank and Jacek Grabowski, experts at Gemius.
GDPR is the answer to the question of how to protect privacy in the face of technological progress. It is also an attempt to find the golden mean between securing the interests of your average Joe Bloggs and preventing business development from being hampered at the same time. Reaching a consensus in a situation where contrary interests often need to be balanced posed a serious challenge for the authors of the regulation. Companies which collect and process personal data are now facing an equally important challenge. So how should entrepreneurs prepare for the upcoming changes?
Entrepreneurs versus GDPR
In order to prepare for the entry of GDPR into force, a company primarily needs to raise awareness that the new regulation is an important issue which will affect many areas of its operations. The new regulations apply to both the personal data of the company’s employees and its customers. Therefore, it is necessary to identify, first and foremost, places and processes within the organisation where personal data are located and on what principles they are processed. Who do we receive data from and with whom do we share them? Do we send them outside the European Union? How do we secure data from a technical, organisational or legal point of view? These are questions which will facilitate the verification of existing processes in the company. Another step will be to analyse the legal bases for processing data and improve the privacy policies made available to data subjects accordingly.
GDPR not only gives citizens new rights but also equips everyone with instruments to control and manage the processing of their data. At the same time, it obliges data processors to fulfil the wishes of citizens with respect to the use of these data. New privileges include, for instance, the right to be forgotten, the right to access data or to delete them. For this reason, in parallel to other activities, companies must plan for and describe the processes that will implement these rights. It is also necessary to design a data protection system that takes into account the current security knowledge, as well as a data breach notification procedure. Certain breaches will need to be reported to the Office of Personal Data Protection within 72 hours of their identification. The organisation should consider the appointment of a Data Protection Inspector who has specialist knowledge in this area. While this is not always required, having a competent person in place makes it easier to manage tasks which the company has not previously dealt with. Moreover, respect for privacy and principles relating to personal data should be reflected in the company’s overall conduct. It is therefore recommended to perform periodical inspections to verify whether privacy rights are observed in all processes that occur within the organisation.
Google and Facebook are subject to GDPR
Companies which store and process the data of EU citizens or supply their goods or services in the EU are subject to the provisions of GDPR, even if they do not have their registered office in a European Union Member State. This also applies to major players from overseas, whether from the US or China. Hence, the requirements for which Polish entrepreneurs need to prepare are also the requirements for Google or Facebook, which collect data about internet users and monitor their online behaviour. From a user perspective, the right to be forgotten is extremely important. It amounts to an obligation for online companies to delete user data on request. The right to request data transfer is another important new aspect from the perspective of people who use popular social media sites or search engines. They will now be able to receive their data from the administrator in a structured form and request the transfer of the data to a different administrator.
For some, the entry into force of personal data protection legislation will be an evolution, for others a real revolution. It will certainly start a new chapter on the principles of personal data processing and will undoubtedly have an impact on company marketing activities. In view of the new provisions, it will be even more important to select the right business partners to ensure secure and legitimate management of personal data.