New EU law on personal data protection – is business in Poland ready for such a big change?

Almost 80% of business entities surveyed by CMS declare that they are aware of the changes to personal data protection, which entered into force on 25 May of this year. However, according to a report prepared by CMS entitled “Changes in the EU Personal Data Protection Law – New Challenges and Opportunities for Companies”, almost 30% of respondents do not know how much time is scheduled for the adaptation to the new EU regulations.

CMS’ TMT team examined more than 100 companies on the Polish market in relation to the new data protection rules introduced by the European Union for all companies operating in member states, as well as for companies that provide goods or services to EU citizens even though they operate outside Europe.

The new law will be enforced by the regulator starting on 25 May 2018. In the case of non-compliance after this date, companies must be aware of the risk of financial penalties of up to EUR 20m or 4% of the global annual turnover of the previous financial year.

Tomasz Koryzma, partner at CMS says: “Business entities should start preparing for the implementation of the new law now, as adaptation to EU regulations requires both adequate financial and human resources. Given the scale of the changes, it may be necessary to create multi-disciplinary teams of legal and technological experts, who will analyse the impact of the new regulations on the company’s activities. Firstly, we need to look at the business processes, existing documentation and software that is used to process data and then we need to evaluate their compliance with the new regulations.”

The legislator has given businesses across Europe two years to prepare for the new regulations. This is needed due to the scale of the changes including, inter alia: the need to verify IT systems used by business entities or to inform customers about the new rules related to processing their data, as well as to introduce a new process in the company – an assessment of the impact of data processing on privacy.

“One of the major changes from the perspective of business entities is the need to provide customers with exhaustive information, in a clear and accessible way, about how their data is being processed, e.g. whether and to which countries the data is transferred and for how long it remains in the database. In practice, this means that information saying that the data is processed, e.g. for marketing or recruitment purposes is no longer sufficient," says Marcin Lewoszewski, legal adviser at CMS’ TMC department. “Additionally, businesses are now obliged to very carefully select the entities whom they entrust with the processing of data, e.g. in connection with the HR/payroll services or data analysis," says Marcin Lewoszewski.

It may be implied from CMS’ survey that only approx. 15% of the surveyed business entities have already taken any action in their organisations to prepare for the new challenges, while the vast majority of respondents (approx. 75%) limit themselves to monitoring legal changes in the scope of personal data management.

“Businesses have apparently decided to wait and see what happens, which may indicate their need to obtain further information about the practical consequences of the changes and on what actions to take in relation to the new approach to personal data protection," Tomasz Koryzma, partner at CMS, says. "However, if we look at the Polish market it may turn out that in comparison with the richer countries of Western Europe, the distance Polish companies have to cover in order to meet the new requirements, e.g. in relation to adapting IT systems, is greater due to the long-term lower level of investment in business, including in data security," he adds.

Companies themselves express the need for more information about the practical consequences of the changes – more than 85% of respondents would like to see more information about the consequences and specific actions needed in connection with the change in the regulations.

The vast majority of companies surveyed by CMS consider the regulations as significant enough to engage the company's management in the process of introducing changes to their organisations. The respondents think that the management’s participation is needed in the process of identifying key risks, due to the need to consider a new approach to personal data in the company’s organisational culture, and also because it is an important element of risk management in the company. In addition, nearly half of respondents believe the changes to be so extensive that they intend to use the support of external companies.

According to the respondents, sales, marketing and IT departments must make the greatest effort to prepare for the changes. Only approx. 40% see the need for HR departments or HR processes to adapt, and even less as regards finance (below 20%).

“Businesses accurately identify areas that will require the most attention and adaptation to the new law. Particularly in those industries where personal data is a key value – e.g. in the financial sector – the biggest changes will be related to the area of marketing and sales and IT,” says CMS’ Marcin Lewoszewski.

As shown in the survey by CMS, the surveyed business entities associate the new legislation mainly with an increase in the costs of running a business – almost 80% of respondents share this fear. When asked about the benefits of increased protection of personal data, respondents indicate an increase in customer trust (about 40%) and a reduction of legal risk (nearly 30%). Among other benefits of tightening the approach to the protection of personal data, they also point out the following aspects: increase of competitive advantage, and making data protection real.

When asked about the reasons to adapt to the new regulations, respondents indicated the risk of financial sanctions and regulatory risk (almost 90%), which is quite obvious given the circumstances. Further down were reputational risk (approx. 75%) and customer expectations (approx. 50% of responses). Only approx. 30% of respondents have a proactive approach to the changes, referring to the benefits of the commercial use of personal data.

When asked about specific plans in the scope of providing information about changes in the approach to personal data within their own organisations, the surveyed business entities primarily consider transferring such information via the Intranet (over 50%) or retraining employees (45%). At the same time almost ¼ have no plans or knowledge of any planned activities.

Examples of changes concerning personal data applicable after 25 May 2016:

• The new regulations require business entities to notify the Inspector General for the Protection of Personal Data (GIODO) about all instances of data breaches and at times also to notify the data subjects involved (e.g. customers). All irregularities in this respect will have to be reported to the supervisory authority (GIODO) without undue delay, if possible, no later than 72 hours after the discovery of the breach. The above concerns not only instances where data is e.g. unlawfully published on the Internet but also situations where a USB stick with data is lost or data is deleted.
• The new law allows for profiling based on automatic data processing only when the individual concerned consents to it, unless such profiling is necessary to enter into or perform an agreement. The regulation requires that consumers be informed of being subject to profiling.
• Everyone whose data is processed by a company, e.g. employees or customers, must now be provided with significantly more information on what happens to their data. Business entities will have to ensure that such information is transparent, reliable and clear.
• Data controllers will be able to conclude agreements for outsourcing data processing only with entities that guarantee the proper implementation of the regulation, among other things, apply security measures adequate to the processing risk and regularly monitor the effectiveness of technical and organisational resources that are to ensure security.
• The new regulation changes the role of the information security administrator. Under the regulation this role will be replaced by the data protection supervisor. One supervisor will be able to operate in more than one company only on the condition that it is easy for each such company to contact the supervisor. This should improve the functioning of capital groups that coordinate activities aimed at data protection.
• The catalogue of the supervisor’s tasks has been unified in the entire European Union. The supervisor’s duties will comprise, among other things, monitoring compliance with the regulation by undertaking activities and training the employees of a given company as well as cooperation with the Inspector General for the Protection of Personal Data (GIODO).
• Under the regulation, the appointment of a data protection supervisor in the private sector will be obligatory in two cases: if data processing due to its character, nature, purpose or scope requires regular and systematic monitoring of individuals on a large scale as well as when data of a specific category (sensitive data) or personal data concerning convictions is processed on a large scale. In the remaining cases the appointment of a data protection supervisor will be voluntary.

Additional information on the survey:

The survey was carried out in April and May 2016 among representatives of over 100 companies operating in Poland. Nearly half the respondents (48%) work in companies with over 500 employees and 68% are employed in international corporations. The following sectors had the strongest representation: insurance (19%), banking (14%) and technology (11%). Many of the respondents work in the FMCG, telecommunications, automotive and e-commerce sector. Respondents were mainly management board members and department directors and managers. The majority of them work in legal (29%) and IT (11%) departments, followed by the compliance, security, sales and marketing departments.