A year after the GDPR

On the 26th of  May 2019 it will be one year from the introduction of the GDPR. What has happened? What have we learnt during the last 12 months? Do companies have full control over the requirements concerning data collection and processing?

Recent months have brought many examples of the enforcement of the GDPR rules in various countries and industries, including substantial fines imposed on the giants of the Internet. However, there are several other cases of smaller, lesser known organizations that illustrate how seriously violations are treated by the data protection authorities across Europe. The best known example is the fine of EUR 218,000 imposed by the Polish Office for Personal Data Protection (PDPA) at the end of March this year for the failure to inform people that their data will be processed.

Recently, the PDPA imposed another fine of EUR 12,000 on a sports club, which not only made the full names of judges, who were awarded licenses, available the Internet, but also their full home addresses and Personal Identification Numbers too.

What are we still having a problem with?

Even a year after the GDPR entered into force, there are still numerous myths and misconceptions about the provisions of the Regulation. Obligations concerning data, obtaining consent, the exercising of the rights of data subjects – these are just a few issues faced by entrepreneurs not only in Poland, but throughout Europe. It seems, however, that the completion of the register of processing activities is the most problematic. Keeping the register is aimed at ensuring compliance with the terms and conditions of personal data processing, and thanks to the information collected in the register, entrepreneurs can assess to what extent their obligations resulting from the GDPR relate to them. However, in order to properly complete the register, all the processes for processing personal data by the enterprise should be identified, which in many cases causes considerable problems to entrepreneurs.

What’s new?

From the 4th of May 2019, a new sectoral act is in force, which introduced amendments to nearly 170 pieces of legislations, including to the Labor Code, the Act on Electronic Services, Public Procurement Law, Construction Law, the Act on Insurance and Reinsurance Activities, as well as the Act on Trading in Financial Instruments.

What are the challenges for entrepreneurs?

The most important amendment resulting from the sectoral act entails the obligation to adjust all expressed consents on the basis of the Act on Electronic Services (for example, marketing mailing consent), as well as expressed consents on the basis of the Telecommunications Act (for example, telemarketing consent) to the requirements of the GDPR.
Practically every entrepreneur will be affected by the new regulations in the field of labor law, such as the new guidelines concerning data collection during the recruitment process or restrictions in the field of marketing.

How can we help you?

• We will conduct post-implementation audits – that is, we will check whether and which updates of the documentation you need.
• We will conduct a performance audit from the perspective of personal data protection law (including compliance with the GDPR and sectoral legislation).
• We will verify, from the perspective of personal data protection, the consistency of the adopted solutions, procedures, processes in relation to the implementation of sectoral legislation (for example, MIFID, PSD2, e-privacy, Al, AML), as well as post-implementation audit services in this respect.
• We will give an opinion on new business processes, and IT solutions from the perspective of compliance with provisions on the protection of personal data.
• We will develop data flow structures as part of business processes.
• We will prepare and verify the internal documentation related to the processing of personal data, including privacy policies, instructions, internal procedures and documenting obligations arising from the GDPR in terms of the principle of risk assessment and accountability principle.
• We will conduct dedicated sectoral training sessions and prepare instructions in the field of personal data protection.
• If necessary, we will represent you in proceedings before the President of the Office for Personal Data Protection.

We’ll be happy to take any questions you may have.