In the run-up to 25 May 2018, the day that the European General Data Protection Regulation (GDPR) came into force, Maciej Kawecki, director of the department of data management at the Ministry of Digital Affairs, was appearing in the public non-stop. It was this dedication to pressing home to the public the message about personal data protection that has ensured that public sensitivity to GDPR and data privacy in Poland is so high. “Poland is in the top EU member states in terms of awareness of the issues surrounding GDPR. Issues such as the right to be forgotten are understood by Polish citizens – they know what it means,” says Dr Kawecki.
And yet there are differences in how businesses in Poland have adapted to the new data privacy regulations. “What businesses have in common is the fact that their clients, their customers, are aware of their new rights. Businesses of all sizes have to meet their customers’ heightened expectations. But while large corporations are by and large compliant with GDPR – they have created policies, documentation, they have collected consent with a long list of check-boxes – smaller businesses have yet to fully adapt. The main reason behind ‘GDPR fatigue’ is the large volume of paperwork that businesses need to deal with.”
The main tool used by many businesses as the starting point for their collection and processing of customer data is ‘permission to process’. It is actually better – for the business – to consider an agreement rather than a permission, says Dr Kawecki. I ask whether this is not more onerous on the part of the client/consumer, who, faced with a solid page of terms and conditions, is more likely to click away from a given website. “Agreements are also check-box driven, they look similar to simple permissions, but once entered into by a consumer, they are more likely to remain in force than a permission, which can be easily withdrawn.”
Four months after it came into force, there’s still much misunderstanding around the subject, despite the comprehensive PR campaign. “We get many complaints coming to our ministry, rather than being directed to the Personal Data Protection Office [UODO, formerly known as GIODO]. Most of these complaints are to do with email marketing or phone spamming,” says Dr Kawecki. “This suggests we need to step up our educational role; producing guides, conferences and workshops. On 24 September, we issued guidelines for the healthcare sector. We’ve also prepared guidance for primary and secondary schools. There were a great many absurdities arising from people’s misunderstanding of what GDPR means and what it doesn’t mean.”
One such case relates to the photocopying of ID cards. “The banking sector is one where this is allowed, under separate anti-money laundering legislation. But telecoms operators cannot copy ID cards – there’s no separate legislation that would obligate firms from the telecoms sector doing so. The minimisation rule means that firms should only gather personal data that’s needed for a given purpose,” said Dr Kawecki.
“How about inspections?” I ask. “Well, UODO has inspected our ministry, tested our systems – a useful exercise for both parties,” replied Dr Kawecki. “There are two sorts of inspections that businesses can face – announced and unannounced. In the case of the latter, the inspectors, upon entering the business premises, should show authorisation and say which categories of data they will be inspecting, then they will conduct interviews with large numbers of employees, who will be asked to provide oral explanations to the inspectors’ questions. These are noted in the inspection protocol, which is then used as the basis to decide whether or not to carry out proceedings – the decision is down to the courts.”
He stresses the importance of technological neutrality, the fact that the platform on which data is stored is irrelevant. Crucial, however, is the philosophy that privacy is a basic human right that businesses need to respect.
GDPR is an essential piece of legislation upon which future technological developments will have to stand. “Biometric data, from iris scans through to human DNA, is extremely sensitive, data that strictly connects a person’s identity, and needs to be protected.
“Technology is about to develop rapidly in many new areas. The Internet of Things (IoT), distributed ledger (Blockchain), artificial intelligence and machine learning, big data and cloud computing – all these technologies are strictly connected with personal data. Technology has to remain neutral here; firms using tech will need to demonstrate that they are using the best solutions and have taken all the right organisation measures to protect personal data. A personal data controller, responsible for overseeing the way personal data is processed, needs to be in place. For big corporations, this is no problem, but for small businesses, this requirement makes GDPR a difficult regulation,” he says.
“The Ministry of Digital Affairs has set up a working group on IoT, and the personal data privacy issues that surround it. We are working with start-ups, where from the very outset, dealing with personal data lies at the heart of what they are doing. These businesses need certification, and at present in some cases, we see that the Polish legal system cannot provide that certification. Some of our start-ups have had to go to Czechia to get certified. If Poland is to succeed in IoT and other new technologies, there must be a solution that offers a balance between the respect for personal privacy and the progress of technology. It’s a never-ending story,” says Dr Kawecki.