In May 2018, after a two-year transition period, GDPR, the EU Data Protection Regulation, came into force, which imposes a number of obligations on Personal Data Controllers and companies that process data on their behalf, known as Processors.
GDPR is the commonly used acronym for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, which, as of 25 May 2018, is directly applicable in all EU Member States in accordance with the general principle of European Union law and has become part of national law as of that date.
The provisions of the GDPR apply to almost all entities that process personal data: public entities as well as private companies and even sole proprietors if they process personal data of other individuals (e.g. job applicants, employees, suppliers, customers and associates), and thus become a Data Controller of that data.
Entrepreneurs must adapt their existing data protection documentation, if they have any, to the requirements of the GDPR. This adaptation concerns the development of a risk analysis, a register of (categories of) processing activities, consents for personal data processing, information clauses, authorisations to process personal data, a register of personal data protection violations, or data processing entrustment agreements.
A certain challenge for entrepreneurs, apart from the development of documentation, is the obligation imposed on the Controllers in Article 33 GDPR to report personal data protection incidents no later than 72 hours after the discovery of the breach to the relevant supervisory authority, which in Poland is the President of the Personal Data Protection Office.
In addition, entrepreneurs, pursuant to Article 32 of the GDPR, must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data breach, the entrepreneur must ensure, where applicable:
pseudonymisation (understood as the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information),
encryption of personal data,
continuous assurance of confidentiality, integrity, availability and resilience of processing systems and services,
assurance of the ability of the systems in place to quickly restore the availability of personal data.
What are these appropriate measures to achieve the purpose of the GDPR? Unfortunately, the GDPR does not provide us with an answer to this question. The regulation is characterised by a very high degree of generality and does not give any specific guidance on how to protect personal data. It gives neither technical nor organisational measures. Entrepreneurs themselves must provide – adapted to their business profile and the scope of data processing – technical and organisational measures to fully secure the personal data they process.
We offer a comprehensive service for the development and implementation of a Personal Data Protection System, in accordance with the requirements of the GDPR, starting with the inventory of assets, through risk analysis and the selection of safeguards adequate to the risks, up to the implementation of appropriate security procedures and policies.
We also provide the services of a Data Protection Inspector, giving our customers access to experienced consultants/inspectors serving various companies and organisations.