GDPR is a consensus, an answer and a challenge
The principles of privacy protection in the era of smartphones, life in virtual reality and the big data phenomenon used to be determined by laws dating back to times when Google did not exist and Yahoo had only just been founded. The only mobile telephone network in Poland at the time had 35,000 subscribers, who used Nokia 150 models. While reality was galloping forward, the law was stagnating. GDPR had to happen — affirm Małgorzata Jankowska-Blank and Jacek Grabowski, experts at Gemius.
GDPR is the answer to the question of how to protect privacy in the face of technological progress. It is also an attempt to find the golden mean between securing the interests of your average Joe Bloggs and preventing business development from being hampered at the same time. Reaching a consensus in a situation where contrary interests often need to be balanced posed a serious challenge for the authors of the regulation. Companies which collect and process personal data are now facing an equally important challenge. So how should entrepreneurs prepare for the upcoming changes?
Entrepreneurs versus GDPR
In order to prepare for the entry of GDPR into force, a company primarily needs to raise awareness that the new regulation is an important issue which will affect many areas of its operations. The new regulations apply to both the personal data of the company’s employees and its customers. Therefore, it is necessary to identify, first and foremost, places and processes within the organisation where personal data are located and on what principles they are processed. Who do we receive data from and with whom do we share them? Do we send them outside the European Union? How do we secure data from a technical, organisational or legal point of view? These are questions which will facilitate the verification of existing processes in the company. Another step will be to analyse the legal bases for processing data and improve the privacy policies made available to data subjects accordingly.
GDPR not only gives citizens new rights but also equips everyone with instruments to control and manage the processing of their data. At the same time, it obliges data processors to fulfil the wishes of citizens with respect to the use of these data. New privileges include, for instance, the right to be forgotten, the right to access data or to delete them. For this reason, in parallel to other activities, companies must plan for and describe the processes that will implement these rights. It is also necessary to design a data protection system that takes into account the current security knowledge, as well as a data breach notification procedure. Certain breaches will need to be reported to the Office of Personal Data Protection within 72 hours of their identification. The organisation should consider the appointment of a Data Protection Inspector who has specialist knowledge in this area. While this is not always required, having a competent person in place makes it easier to manage tasks which the company has not previously dealt with. Moreover, respect for privacy and principles relating to personal data should be reflected in the company’s overall conduct. It is therefore recommended to perform periodical inspections to verify whether privacy rights are observed in all processes that occur within the organisation.
Google and Facebook are subject to GDPR