On 25 May this year, the EU Regulation on data protection, generally referred to by its abbreviation, GDPR, will enter into force. The Ministry of Digitalisation keeps working on the provisions ensuring proper application of the Regulation in the national legal system. However, it is already known that practically all entrepreneurs must prepare for new obligations, whose non-fulfilment will be sanctioned by severe financial penalties – up to 20 million euros or 4% of annual turnover (whichever amount is higher). Taking into consideration the scale of the planned amendments, there is little time to get ready for their implementation. With the above in mind, it is worth starting to prepare the relevant internal procedures at present not to expose one’s business to danger.
Main reforms introduced in GDPR
In the first place it must be remembered that an EU regulation, by its very nature, is directly applicable in the Member States of the European Union – which is why even if the Polish legislator fails to adopt the implementing act before 25 May, entrepreneurs will still have to comply with the new obligations. And these are to refer practically to all entities that, in whatever way, process the data of their customers – both large corporations and small family businesses. Moreover, these are entrepreneurs that will have to independently design systems of personal data protection in their firms, which should be specifically tailored to the type of their activity. The EU legislator reached the conclusion that it is pointless to precisely pinpoint the obligations of a data processor in the Regulation as this would necessitate an extremely extensive piece of legislation likely to grow obsolete very rapidly. That is why GDPR provides “only” a general framework and goals that must be met by data processors’ – primarily by comprehensive assurance of protection and conscious consent to processing, and by enabling exercise of the data subject’s right to “be forgotten.” All that will require introduction of a system of protection not only for the entire enterprise but also for specific sectors of the activity carried on in the enterprise. The EU legislator made only a very general decision that such procedures are to involve appropriate technical and organizational means, match the character, scope and context of processing, and reflect the risk of infringement to freedoms and rights of natural persons.
The data subject will also gain the right to demand the provision of his or her data from their processor “in a commonly used readable format” or their transfer to another institution which also processes data. According to GDPR, such right will be furnished to everyone whose data are processed on the basis of a consent, agreement or automatically. Obviously, for many firms this will imply the need to develop their IT systems and introduce new options to the existing ones.
Besides, entrepreneurs have been faced with more down-to-earth challenges. Practically every firm processing personal data already has a system of data protection, e.g. appropriate forms of consent to processing. However, in consequence of a change concerning the very definition of personal data, also such forms will have to be reworded. From 25 May on, the concept of personal data will also include IP addresses, location data and cookies stored by Internet browsers. It will also be necessary to notify customers of their rights in a “clear and accessible form,” e.g. regarding the right of objection to data processing for direct marketing purposes.
Moreover, in the event of any infringement to personal data resulting from a hacker attack, the firm will have to report that fact within 72 hours to the Inspector General for Personal Data Protection. On a side note, it is worth adding that the Inspector General will be transformed into the President of the Office for Personal Data Protection (OPDP). According to the bill under construction, proceedings before the President of the OPDP will be a one-instance procedure, which means that its decisions will be immediately enforced. This cannot be changed even by an appeal to the administrative court. The President will also gain the right – in the event of substantiation that data are processed in violation of legal provisions – to oblige the processor to limit its activities in this respect. Issuance of such decision may significantly restrict the entrepreneur’s possibility to conduct business, e.g. when the entrepreneur sells online.
The Ministry of Digitalization plans to address entrepreneur needs by enabling officials to issue so called codes of good practice recommending the methods of personal data protection in particular sectors of economy. Such codes are to be subject to consultation with relevant stakeholders and approved by the President of the OPDP. However, the bill is still at the legislative stage and it is rather unlikely that such codes would come into existence before 25 May. That is why entrepreneurs who do not wish to be exposed to severe penalties or restrictions of their activities should already prepare data protection systems for their business.