RODO not that scary? We’re overthrowing the myths in IT branch!
In recent months, nothing seems to have stirred up as much emotion among entrepreneurs as the start of the famous GDPR regulation (in Poland -RODO) on May 25th.
New obligations, millions of penalties and the lack of Polish regulations (the new act on personal data protection was passed before the entry of the Code of Conduct; however, we are still waiting for the act adapting over 200 other legal acts) caused a climate of anxiety – and sometimes even panic.
The situation was not improved by numerous press publications, which often did not provide reliable information, but only heated up the atmosphere.
The headlines referred to closing cemeteries, installing bars in offices windows and buying “special” office cabinets “compatible with RODO”…
What is GDPR/ RODO basically?
This harsh acronym simply means the Regulation on the Protection of Personal Data, namely Regulation (EU) 2016/679 of the European Parliament and of the EU Council on the protection of individuals with regard to the processing of their personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Significantly, although it is an EU act, it is directly applicable in Poland.
The new act on the protection of personal data passed before the entry into force of the RODO itself, is of mainly auxiliary importance (it focuses, among others, on the organization of the new supervisory authority – the Office for the Protection of Personal Data and the powers of its Chairman).
Should I be worried about GDPR/ RODO at all?
You may ask yourself whether the RODO applies to you and your company at all. Well, I have bad news for you – the RODO applies to everyone who processes personal data of European Union citizens for purposes other than purely personal or household ones.
So if you employ people or sell products and services to EU citizens - or if you run a blog and send a newsletter, for example - you must comply with the new data protection legislation.
This applies especially to IT companies which not only have access to the data of their employees or customers but also – when implementing ERP or CRM systems at their business partners, they have access to millions of personal data often held by them.
Not only “paperwork”, but above all PRACTICE
How to check, then, whether your personal data is processed in accordance with the RODO? It is best to start with the so-called audit of RODO, i.e. identifying the resources owned by the company related to the processing of personal data.
If you have already completed the formalities arising from the data protection regulations in force, then I have good news for you. You probably have already done most of the work, and adapting to the new legal situation will not be too painful.
For example, if you already had the appropriate documentation before the entry into force of the Code of Conduct, i.e. the security policy and the IT systems management manual – and, what is very important, the rules resulting from this policy have really been implemented and operated in your company, and not only remained on paper – then you are on the best path to be compliant with the Code of Conduct.
Although the Regulation does not explicitly require such documents to be held, it is for the administrator (i.e. you) to decide for yourself whether they are necessary in terms of the scale, purposes, scope, and context of the processing of personal data. However, if such documentation already exists and is actually followed, it may, after adjustment, provide a good basis for further action.
Make a registry and you’ll know what you’re processing
In addition to appropriate documentation describing the procedures involved in processing personal data, it is worth (and sometimes even necessary) keeping appropriate records:
- the processing of personal data (if you are a controller),
- and the categories of personal data processing activities (if you are acting as a processor).
To some extent, they are equivalent to the list of personal data filing systems required so far. What is important, according to the RODO, the possession of such registers is not obligatory – they must be created “only” by those entities employing more than 250 persons, unless the processing, that they are carrying out, poses a risk of infringement of rights or freedoms of data subjects, is not occasional, or includes special categories of personal data (formerly – “sensitive data”) or personal data concerning convictions or infringements of the law.
Even if you find that this law does not oblige you to have such a register, it is worth preparing it, because it will allow you to separate all the existing collections of personal data in your company and analyze to what extent and for what purpose the data is processed.
Moreover, such a register will allow you to determine whether you actually have the right to process all the personal data that you hold in your resources.
Inform the people whose data you possess!
RODO places great importance on the administrator’s compliance with the information obligations, described in more detail in Articles 13 and 14 of the Regulation. Compared to the existing provisions, the scope of mandatory information to be provided has increased.
Since all these data are to be provided to the user during their acquisition, they are related to this requirement (especially in the case of collecting information by means of forms on websites), important practical doubts, which are difficult at this moment to resolve unequivocally.
The safest solution, in this case, would undoubtedly be to add the necessary information directly to online form, which due to its volume may cause despair to every website designer and UX specialist. Whether compromise solutions, such as developable clauses, openable windows or clear links, will also be acceptable to officials, we will see over time.
RODO Principles – Privacy by design and privacy by default
All the above responsibilities (and many others, described in the RODO and for which this article is too short) have one goal – to protect the users’ PRIVACY.
RODO forces a real revolution in the approach to creating tools and processes related to data processing – which is particularly important for IT companies involved in the development of any software.
Namely, this respect for privacy has to:
- be taken into account already at the planning stage,
- be as default as possible,
- we must do everything in our power to protect this privacy as much as possible.
Privacy by default means that data protection settings are implemented as default settings for your IT system or software. Any change to these settings should only be made at the specific request of the user.
On the other hand, Privacy by design boils down to taking under consideration the fullest possible protection of personal data already at the moment of designing.
All of this seems to be very complicated, but it is possible that over time, good practices will emerge that will make life easier for entrepreneurs, and the protection of personal data will simply become a good habit, followed without much effort and reflection, such as the segregation of rubbish. After all, in the end, every entrepreneur also entrusts his or her data to someone, even if he or she makes purchases in an online shop…
So it would be good for us, for our own sake, to make friends with the protection of personal data.
- On 01/08/2018