From May 25 this year, the GDPR, or the General Data Protection Regulation, will be in force in Poland. Thanks to it, among other things, the principles of personal data processing will be unified throughout the European Union. In connection with the above, in order to bring this topic closer to our readers, we asked Mrs. Barbara Sośnicka – Legal Counsel a few questions regarding the GDPR.
The EU regulation, GDPR, came into force 2 years ago, in May 2016.
The period for compliance ends on May 25, 2018. Most entities have only really taken up this topic this year, hence the widespread panic. This is being us by various companies, which are massively offering entrepreneurs various options related to implementing GDPR. Someone who has only just started to take an interest in the subject may make a bad decision in a panic and the implementation of GDPR will not go smoothly.
Is GDPR a revolution?
Many people want to wait for the Polish act to appear. However, this act will not change the content of the GDPR. It is an EU regulation, and therefore it will be directly applicable in Poland even without the adoption of the act. The act will only sort out certain issues concerning the control procedure or the operation of the new office.
The EU regulation enters directly into our order, what’s more, it is “more important” than the Polish act. If the act contained provisions that were inconsistent with the provisions of the GDPR, in such a case the GDPR would apply anyway.
Personal Data Protection Act 1997,
Regulation of the Minister of Internal Affairs from 2004, which specifies the technical requirements that a specific company should meet on a given day.
You can also refer to the PN-ISO/IEC-17799:2005 standa , which specifies that information security should be understood as Binance Database maintaining confidentiality, integrity, availability, accountability, authenticity, non-repudiation and reliability.
Currently, Polish law provides:
The Regulation of the Minister of Belgium phone number list Internal Affairs and Administration from 2004 will soon cease to apply, but you can draw ideas from it regarding, for example, IT system security. However, it should be taken into account that there is a lot of outdated information there. The technologies used today are significantly different from those from 2004.
As for the PN-ISO/IEC-17799:2005 standard, the GDPR does not change much in its aspect, repeating some of the principles listed therein.
The GDPR is very general, and there is actually very little specific information contain therein.
It’s true. After reading the regulation, we may have the impression that we still don’t know what to do and how to secure data in the company. This is not in the GDPR and will not be. The assumption is that the GDPR is to function for 50 years and because of this, provisions regarding, for example, technology and specific security measures are not introduc there. This is logical because technologies change very quickly and what was innovative 2 years ago is no longer and will continue to change. The GDPR does mention encryption or pseudonymization, but these concepts are us in a very general context.
You need to perform a risk analysis and adjust security measures strictly for your own company. GDPR implementation will look completely different for a person who runs a sole proprietorship, does not employ employees, works from home and has an online store than, for example, a laboratory that employs 50 employees, has sales representatives throughout the country and processes genetic data (i.e. data from special categories). In the latter case, the scale of the obligations to be fulfilled will be greater.
