GDPR - the most important challenges for entrepreneurs


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC, commonly referred to as GDPR, is undoubtedly the hottest topic of the year. The regulation came into force on May 25, 2018. What challenges does the GDPR introduce for entrepreneurs?

Who is affected by the GDPR?

GDPR applies to every entity that processes personal data - in practice, it will therefore be every entrepreneur, both large joint-stock companies or limited liability companies, as well as entrepreneurs running a sole proprietorship (i.e. accounting offices, online stores, hairdressers, beauty salons, etc.) wholesalers, doctor's offices, all entities employing employees).

What is personal data?

Personal data in accordance with the GDPR are all data enabling the identification of a person, and therefore not only the name and surname and place of residence or PESEL or NIP number, but also the e-mail address, IP number, voice and image of the person (in the case of audio and video recordings). The GDPR procedures do not apply to the data of the deceased, i.e. entrepreneurs running stone workshops or providing funeral services do not have to implement protective regulations with regard to the data of the deceased (they will obviously process and store the data of clients ordering the performance of specific services).

What changes does the GDPR introduce?

The EU regulation is not clear and therefore will require entrepreneurs to show a bit of creativity, limited, of course, by the provisions of the GDPR. In the event of an inspection, the entrepreneur will have to demonstrate how he protects personal data. Each entrepreneur should first analyze what personal data of his employees or clients he has, how he has processed them so far, in what form he has stored, whether he obtained consent from clients or employees to process this personal data and, as a result of this analysis, choose such solutions that will ensure optimal data protection. The entrepreneur may also order an audit to be performed in terms of the security measures applied and the changes required to be introduced, which seems to be a reasonable and justified solution.

Data processing agreement

One of the most important issues related to the GDPR is the obligation to obtain the consent of the person whose data the entrepreneur processes, for their processing and storage. Importantly, this consent must be given before performing the action and must be express - therefore it is recommended that the content of the declaration be prepared in a form that is simple for the client. Pursuant to the draft of the Polish Act on the Protection of Personal Data, a person will be able to give consent after reaching the age of 13, and therefore a teenager-client, despite not having full legal capacity, will not have to ask their parents for consent on their behalf. The customer must also be clearly informed about the possibility of removing his personal data from the entrepreneur's data set.

Entrustment agreements

If the entrepreneur uses the services of other enterprises (e.g. IT companies, accounting offices, training companies, courier companies), the entrepreneur should conclude contracts for entrusting the processing of personal data. Such an agreement should be in writing and contain information about its duration, the subject of data processing and their type, purpose of processing and categories of persons whose data will be processed, as well as the obligations and rights of data processors and the data controller.

Storage of photocopies of documents

A common practice in the vast majority of enterprises was to keep in the files of employees photocopies of identity cards, driving licenses or student ID cards. Such practices should be considered unacceptable, not only from the point of view of the GDPR, but also due to concerns repeatedly expressed by the Inspector General for Personal Data (e.g. with regard to telecommunications undertakings, but also entrepreneurs running hotels and agritourism facilities or running competitions and promotional campaigns for consumers) regarding possible unauthorized use of these copies. In the opinion of GIODO, the mere presentation of an identity document should be sufficient. In light of the new GDPR regulations, the question arises as to what to do with photocopies of identity documents already in the possession of entrepreneurs. The most appropriate solution seems to be their destruction, while leaving a note in the employee's personal file stating the date and cause of their destruction. This type of note will be particularly important in the case of files in which the pages are numbered. Destroyed photocopies should be replaced with statements by the employee regarding his personal data or statements by the employee managing human resources at the employer's enterprise stating that the identity document has been presented and it is consistent with the other data provided by the employee.

Start a free 30-day trial period with no strings attached!

Register of data processing activities

The GDPR imposes on some entrepreneurs (e.g. those employing more than 250 employees, processing sensitive data or processing data in a way that threatens the rights and freedoms) the obligation to keep a register of data processing activities. Due to such imprecise wording of this obligation ("threat to rights and freedoms"), it is recommended to keep such a register by every entrepreneur, just like every entrepreneur should consider appointing a personal data inspector. This is necessary, for example, in the case of entrepreneurs processing sensitive data. Sensitive data is a special category of data, e.g. on health, sexual orientation, religious beliefs, membership in political parties. The personal data inspector may be an employee employed by the entrepreneur, unless it is an employee responsible, for example, for the security of the IT system. It can also be a third party and therefore the entrepreneur can outsource this service. In such a case, the entrepreneur should, however, verify whether there will be a conflict of interest between the clients of the entity performing the function of the personal data inspector.

Security of data stored in the cloud

If the entrepreneur uses any IT systems (e.g. website, online store, social media), he should implement appropriate systems ensuring the security of data sent in this way. Particular challenges concern entrepreneurs using the so-called cloud systems, where data is not stored on disks at the entrepreneur's premises. In this case, the entrepreneur should contact the IT service provider and together assess how the personal data is secured and what changes should be made. The entrepreneur should also not use free e-mail servers, because in this case he is particularly vulnerable to possible hacking attacks and data theft. For this reason, it is recommended for all entrepreneurs to buy an e-mail server and a server for storing files equipped with appropriate security certificates, and in the case of sending any files - securing them with a password given to the client or employee in a separate message. Even entrepreneurs running company blogs on popular websites should check whether and how the personal data of users - readers of these blogs, is secured and how.

GDPR on business phones

An interesting issue seems to be the use of business phones by the entrepreneur's employees, a solution common and present in almost every enterprise. Contacts and data stored in the phone's memory should also be protected in accordance with the provisions of the GDPR, and the screen lock itself by requiring a PIN number cannot be considered a sufficient protection method. For this reason, the employer should sensitize his employees not to install applications of unknown origin in the cameras entrusted to them, which may steal the data stored on them.If possible, entrepreneurs should also invest in applications that encrypt data and protect phones against unauthorized interference.

What are the risks of non-compliance with the GDPR?

Failure to implement the provisions of the GDPR may result in liability for damages towards persons whose data has been disclosed, criminal liability and, above all, administrative liability. The regulation provides for high fines for ignoring the obligations arising from the new regulations. In addition, the entity that stores and processes personal data will have to report violations of the provisions of the GDPR to the President of the Office for Personal Data Protection within 72 hours. This means that in the event of, for example, a hack into the server used by the entrepreneur or any other leakage of personal data, the entrepreneur will have to take special security measures.