Where will I find accessible legal information?

DZP's media centre.

GDPR Challenges are Here


Agnieszka Kaczmarek

Twenty fifth May 2018 has come sooner than we wanted and has gone equally quickly. The world did not stop turning, business did not grind to a halt, and the day did not end in disaster, despite the concerns of many.

All this was due to the EU Personal Data Protection Regulation, or the GDPR, that became applicable on 25 May 2018 and represents one of the most significant changes to personal data protection over the past 20 years. The GDPR provides for a number of new personal data protection obligations, applies to us all, affects how business is carried on, and is supposed to protect us, average citizens, against abuses of our data and give us full data autonomy.

Over the past few days, we have seen many absurd situations related to application of the GDPR: doctors refusing to tell parents whether their children have been admitted to hospital, hospitals using numbers instead of names to refer to patients, and church offices not issuing copies of documents to relatives. The GDPR is not responsible for any of them; they were all due to lack of knowledge or information.

Personal data have often been neglected (even though Poland has had a Personal Data Protection Act for 21 years). As there has been no threat of high fines being imposed by the Inspector General for Data Protection (unlike, e.g. the Competition and Consumer Protection Office or the Electronic Communications Office), apart from fines for repeatedly (!) failing to comply with administrative decisions issued by the Inspector, and the risk of inspections by this authority has been relatively low, some entrepreneurs have not paid sufficient attention to the matter. So now that a regulation attracting as much media coverage as the GDPR has come along, a large part of the market is trying to implement the new regulations, but interpreting them too literally in some cases.
The GDPR is a challenge for many firms in view of the IT, legal and organisational changes that companies will have to make in their businesses. The new legislation also introduces the accountability principle, which requires an entity that processes data in connection with its activity and determines the purposes and means of the processing (called the “data controller” for data protection purposes) to demonstrate that it complies with the GDPR. Compliance is usually demonstrated by amending documents (introducing relevant new clauses and provisions), introducing new procedures (e.g. for notifying data breaches to the supervisory authority), and changing IT systems. If personal data have been managed in any way at a firm, this should really not be a major challenge, but if the firm is starting from scratch, rather more work will be needed. The greatest challenge may be changing people’s approach to personal data protection. We all have to realise that personal data, including customers’ or employees’ data, are becoming a real currency that in some cases may operate like the magic phrase “Open Sesame!”. This is why the risks and requirements under the GDPR must be discussed.

Ever since the GDPR has become enforceable, there have also been many problems with practical application. Examples include requests to exercise entities’ rights under the GDPR (e.g. to obtain information from a data controller (such as a bank) on whether and how it is processing our personal data). It can be seen on the market that customers/contractors/employees are indeed exercising their rights under the GDPR.

This may be one of the biggest challenges arising from the GDPR after 25 May: education and demystification of regulations whose interpretation at the start of application has sometimes given us greater cause for astonishment than admiration for their effectiveness. The regulations of the GDPR have deliberately been drafted so as to leave as much room for interpretation as possible. The EU legislator intends the regulations to be as flexible as possible so that they continue to be relevant in future years. So a situation arises where we have “as many opinions as people” when it comes to interpreting the regulations. This results in absurd situations, e.g. where a cemetery is closed “because of the GDPR”.

The fact that there is no established practice is also a challenge to the business community, which now relies on its own interpretations of the regulations. Coupled with a lack of sector-specific regulations, which are critical for the operations of, e.g. the banking, telecommunications and healthcare sectors, this means that we can expect inconsistent practice and many questions over the interpretation of the regulations over the next few months. Let’s hope we will find answers to many of these questions.

The Ministry of Digital Affairs has announced that a working group will be set up to prepare interpretations of the regulations to make it easier for, e.g. schools and healthcare providers to rationalise application of the GDPR. This is a good move and one that meets the needs of citizens and the business community, which is always positive. We secretly hope that both the Ministry of Digital Affairs and the new supervisory authority will follow the example of the UK supervisory authority, ICO, and will soon issue instructions or guidelines enabling businesses to apply the GDPR reasonably so that it fulfils its basic function of protecting us and our personal data.


Source: The Warsaw Voice, 30.06.2018

Stay updated with DZP