What is GDPR and should we be afraid of it?
GDPR is a general resolution on personal data protection. Its rather lengthy name is the Regulation (EU) No 2016/679 of the European Parliament and the Council dated 27th April 2016 on the protection of natural persons’ data in accordance with personal data processing regarding free movement of such data. GDPR repeals the directive in force since 1995 on the protection of personal data and introduces as a rule one system of personal data protection in the European Union. GDPR provides for the member states some freedom of choice regarding some solutions. However, we may say that the system will be coherent in its most important provisions.
GDPR is about to introduce big changes in the protection of personal data in Poland.
The resolution comes into force in May 2018. How much time is needed to prepare properly for that?
The time is now. Right now we’re in a transition period and on 25 May 2018 everyone will have to switch to the new rules. Nothing prevents us from introducing GDPR today. Customers must know precisely how and why their personal data are being used. We should bear in mind that a customer may withdraw their consent and require an immediate removal of their data from our systems.
Who do the new provisions concern and what was the trigger for introducing such a resolution?
GDPR will have a broad spectrum of uses. It is easier to indicate for which GDPR is not applicable. And what we can’t use GDPR for is the processing of personal data within purely personal or domestic activity with no relation to professional or trade activity. It means that entrepreneurs will not escape GDPR. There are two reasons for the resolution to come into force. First of all, the directive that has been regulating these issues went out of date many years ago. It was admitted as early as in the 90s, and since that time many technological revolutions have taken place. Secondly, it was noticed that in the EU the system of data protection is not harmonised. In various countries many different solutions are in force. GDPR unifies them in the whole EU and forces subjects that have their seats outside EU to apply GDPR towards EU citizens.
Why is GDPR so important for eCommerce?
eCommerce is a first line of GDPR’s application in practice. It’s great responsibility for online shop owners to educate their customers properly and inform them about their rights but also to show that the shops take the introduction of GDPR seriously. E-Commerce will be the first experimental field which is about to show how GDPR is going to work in practice. On the one hand it’s good because it’s a branch familiarised with the new technology, but on the other hand it is dangerous so far, as only after some time will people know what they will be able to do with their data.
GDPR will mean a change in dealing with customers’ personal data. We must be more cautious and more transparent. It’s worth to accept one principle: inform, inform and once again, inform. The more a customer will know about the ongoing operations of data processing in the company, the better.
It often happens that the customers click their way through privacy policies and regulations without much consideration. No wonder, because the texts are often written in hermetic language only to “check the box”, delivering the information which the entrepreneur is obliged to provide. GDPR indicates that the texts of our documents should be clear and understandable for customers. It’s worth to take advantage of the regulation’s coming into force to modify documents. We should try to make it clear to our customers why their names, addresses and other data are processed. E- shop owners have an opportunity to be first people to explain changes to their customers. It’s worth to take advantage of this opportunity.
What exactly should be put on an online shop website after introducing GDPR?
It’s an insidious question because we may assume that there are some kinds of templates we could apply to many different subjects. However, while introducing GDPR we will have to individualise specific information provided to the customers, referring exactly to the given activity. That is why it’s hard to indicate one template which could suit all e-shops. We will have to change customers’ approach to data processing and get in our heads that we will have to inform customers what a given company is about to do with their data and which data is collected.
How the definition of “personal data” changes?
The definition of personal data is already very broad as of today because we consider personal data all the information concerning identified or identifiable natural person. GDPR includes similar definition. It is, though, not only important to define personal data, but also a particular change in the way of thinking about them and the way of dealing with them.
What is the difference between current obligations concerning consents for behavioural data processing and anything that happens after introducing GDPR?
We’ve got a certain problem with behavioural data. Actually, currently they do not appear in the act on personal data processing but rather in the act on providing online services. In GDPR we are about to have such a change that it discusses biometric data. Under binding of GDPR it is going to be a leading motive because behavioural data is going to be evaluation factor in personal data processing.
Will GDPR authorise the provisions identically in the whole EU and outside EU?
Thanks to GDPR, the provisions in the UE will be harmonised. The resolution provides that the member states will be able to modify certain solutions. It will not be that in the whole EU identical provisions will be in force. However, as a rule, we may speak of one system of data protection with certain differences between countries. We have to bear in mind that GDPR is applicable directly, without a need to refer to national provisions.
Generally, the subject which has its seat in the EU and processes data is obliged to apply GDPR regardless of whether the processing takes place in the EU or not. If the subject does not have its seat in the EU, but the processing entails offering goods or services in the EU, GDPR should be applied as well.
Are we still obliged to report data sets to GIODO (Inspector General for the Protection of Personal Data)?
Of course, this obligation still exists. Until GDPR comes into force, we have to report data sets to GIODO all the time. In turn, in May 2018 this obligation will be removed and then the obligation for some subjects to assess risk associated with handling personal data will appear. GIODO in its present form will cease to exist. After introducing GDPR there will be only one organ that can react and supervise data processing in the member states.
What is profiling online shop visitors and must a person undergoing the profiling be informed about that?
Yes, a person that undergoes profiling must be informed about it and must express his/her consent for that. Profiling is an automated processing of certain personal data, performed in order to assess certain behaviour, effects, preferences, and make a forecast analysis concerning certain fields of our interest concerning the customer, e.g. his localisation, health or shopping preferences. The profile itself consists in speaking of certain characteristics of certain personal data category and this is applied to a given person.
Let’s imagine a following situation. An online shop already has a database with a consent, e. g. for getting a newsletter. Is it possible to send also to these people a message with personalised offer? Or must they express their consent one more time?
If the consents already expressed meet GDPR requirements, then the data can be further processed. If not, if apart from the consent there are no rationales for personal data processing, then the consents will have to be correctly obtained one more time. That’s why it’s worth to obtain consents already today in the way it will be required from May, after introducing GDPR.
When is it possible to change the scope of data processing and how to inform about that?
A consent for personal data processing must be clear. It doesn’t have to be written but sending an e-mail itself is not enough. A given person will have to click, e.g. “yes, I understand and agree”. A person must express his/her consent consciously and consents must be obtained in accordance with the law.
GDPR mentions the right to be forgotten and ceasing to profile on demand. However, the law often seems to function besides or even against technology. For example, the backup idea doesn’t allow for data removal. Backup is a database dump in which we can’t interfere and that’s why it is reliable. Should we care about data in backup while we remove the user’s data?
The right to be forgotten is not an absolute right. If an administrator must retain data in terms of protection or claims procedure, he/she should retain these data, also in case of broadly-understood public interest. When it comes to backup, it depends whether they are required by the law or to which extent they are actually necessary to be prepared. In turn, the “right to be forgotten” idea consists in removing certain links. If we have published data publicly, we send information about a need to remove personal data also to other administrators.
For instance, shop X makes backup every day at 1:00. Kowalski unsubscribes on 5th June at 10:00 a.m. and at 8:00 p.m. the database in the shop breaks down in such a way that only backup reproduction could save the situation. Cancelling subscription and all the records of the day are lost. Backup is still data processing in the meaning of GIODO. How to survive such a situation?
You have to start with notifying the user that such situation has taken place. The entrepreneurs must inform the users about what is happening with their data and in this case they should also inform a suitable supervisory authority. That’s why, if the correct information appears and suitable acts of diligence have been undertaken to protect this data and lead them to the final removal, there’s nothing to worry about. However, we have to bear in mind that a user has a right to require this data to be finally totally removed.
Does GDPR change the rules upon which a processor/ partner should return data to an administrator after finishing cooperation?
Everyone who is an administrator or personal data processor on the basis of the agreement with an administrator should prepare a basis in such a way that it is possible to relocate it as a whole, along with its particular data. Each person who transferred data may refer such a request “I would like my data from company X to be transferred to company Y”. That’s why it is a company’s duty to create databases in a readable format.
What happens in case of personal data breach, e.g. as a result of hacker attack?
First of all, GDPR provides the duty to notify a supervisory organ about personal data breach within 72 hours. Secondly, the new duty of personal data processors will be to prepare risk evaluation in a given company. An administrator is obliged to document all the breaches and the actions undertaken to resolve them. Thirdly, an administrator should without delay inform the person concerned about their rights’ breach.
Do we raise legitimate concerns for the spectre of multi-million penalties for the non-compliance with the provisions concerning GDPR?
It’s hard to predict. It’s better to be on the safe side because GDPR indeed provides severe fines for breaches. Here we may speak of the fines in the amount of 4-percent of an entrepreneur’s total turnover for a given year. Unfortunately, we will have to wait to see how it will work in practice.
Do we already know final draft of the resolution?
Yes, the resolution awaits only its coming into force in May 2018. However, we still don’t know the final draft of national regulations that should be established apart from it. However, it is the resolution that includes most important changes.
How online shops should prepare for GDPR, what remains uncertain and what can be already done today?
All the things are worth to be done from now on. First of all, entrepreneurs should specify the texts of consents obtained from customers. They should include information about the data obtained from the customers and a way of their processing. Everyone should be governed by the general principle that a customer should have a possibility to get to know why their personal data are collected and which data they are. Whether a customer would like to familiarise with these answers is a different matter. Entrepreneurs must enable it to them and documents must be written in a way a customer may understand them.
Where to look for the information about the consents a customer must express in case of e-mail marketing?
You will have to get familiarised with manuals available on EU, EP and The Council websites. Soon something like the council from article 29 that provides good advice and indicates good practices will be summoned. For now, we can lead this like we have been doing so far. incurrent content of the guidelines concerning e-mail marketing are enough. Let’s stay alert, let’s inform out customers that they have a right to require withdrawal of their personal data from the base. Most vital of all is to show our customers that we are for them and they have a right to raise objections. It’s also worth not to combine consents and to obtain them in a clear and understandable way.
Must data be physically stored in a certain way? Is a simple exportable basis in CMS enough? Which data should be stored there?
The methodf of data storage depends on their type and on whether there is a risk estimated. For example, if it is a little shop, which has a group of regular customers, who come back to it, and there aren’t big volumes of data, then the retainment system of this data storage is different than in case of big companies which deal with it. There are no specific guidelines. There will be certificates which you may get if you achieve a certain safety level and if there are codes of good practices/proceedings. These codes will do their job concerning safety matters. All depends on the scale and type of data, that is the scale of activity.
How should the consent for personal data processing look like according to GDPR? What should such consent include?
If the consents obtained beforehand meet GDPR requirements, then the data can be further processed. If not, then if, apart from the consent, there are no rationales for personal data processing, then the consents will have to be correctly obtained one more time. That’s why it’s worth to obtain consents already today in the way it will be required from May onwards, after introducing GDPR. How such a consent should look like depends on the branch and the scale of activity because, as it has been already said in the interview, universal templates of statements will be no longer in force.