MD: How large is the task facing Poland?
MK: Implementing the General Data Protection Regulations (GDPR) into Polish law requires drafting a new law (UODO) and passing over 130 legal acts covering a large number of different sectors. The pre-consultation phase within government is over. We have been talking to hundreds of stakeholders and citizens, unconstrained by legal barriers. We have solved some problems around some areas such as surveillance and biometric data – determining when, for example, employers can collect personal data. Only on condition of explicit consent – and the legal acts have to introduce key how to evaluate as to what is 'explicit consent'. We have to strike the right balance between protecting employees of business or public institutions in the workplace, with the legitimate interests of the organisation.
What is happening around the implementation of the GDPR is one of the biggest – the most wide-reaching – legal reforms in Poland since 1989. The changes will affect the entire legal system, affecting all data, and so require compliance with many different legal acts.
The pre-consultation stage took six months, after which the draft law was prepared in cooperation with all ministries.
How was it in practice – how have you managed to get all the ministries actively involved?
The ministries are all experts in their own affairs, and the change of sectoral regulations without them would not be possible. It was natural to encourage all the regulatory agencies as well as the other Ministries to prepare the sectoral Acts, when they touch on, say banking – which falls under the remit of the Ministry of Finances. We also had to cooperate with GIODO (the inspector- general for the protection of personal data) which is appointed to execute the protection of data – both, private and public. After GDPR comes into force in Polish law, GIODO will become PUODO (Prezes Urzędu Ochrony Danych Osobowych – the president of the office for personal data protection).
Tell me about the new approach to profiling – how will this be affected?
This is important when decisions that affect an individual could be based on profiling. Let's consider two areas of the financial services sector that will be affected – credit and insurance. Banks and insurers will be allowed to profile customers, but they will be obliged to process data according to the law. Such profiling, however, will only be possible where the obligation to process data results from the provisions, such as the obligation to assess creditworthiness.
Are there any differences between the way Poland is implementing GDPR compared to other member states?
Yes – there will be differences across the EU member states. There will be exceptions, resulting from the regulatory freedom that member states have in implementing the GDPR framework. One example is the case of penalties to the public sector. Whereas the GDPR envisages maximum fines for breaching the law of up to €20m, in Poland this will apply to the private sector only – the public sector will only face a maximum fine of 100,000 złotys. It's not just about the money. It's about reputation. Both public and private sector entities have it in their best interest to protect their reputation.
How will GDRP affect citizens and their data?
Citizens will get new rights, more than 20 new rights including the right to be forgotten, the right to demand your data, the right to replace personal data, and the portability of data. Just as you can transfer your phone number from one mobile operator to another, you will be able to transfer your personal data for exampe, from one bank to another. Buying an airline ticket online, you have to give lots of personal details including passport or ID number, date of birth; you can ask for such data to be transferred. And when changing jobs, you can ask an employer to do likewise.
What should companies be doing now do to ensure compliance?
This new approach to personal data is risk-based, with companies having to show that they've taken the necessary organisational and security measures to protect data. Companies should now be undertaking strategic reviews to see how much data they hold, how they hold and process that data, how it is currently protected, and get to understand what they need to be doing to achieve full GDRP compliance. How much data companies have to protect varies from sector to sector. Law firms, for example, do a lot of work around the data that they hold about their clients.
It is estimated that around 50% of firms are not ready. An information campaign, explaining what factors will determine whether fines will be low or indeed punitive, has yet to be shaped. Certification is an important part of compliance. We are working on changing the certification mechanisms in the project to meet the needs of stakeholders as closely as possible.
And what's the public sector doing now?
The role of the Biuletyn Informacji Publicznej (BIP or bulletin of public information), the system of unified online public records, is crucial here. Under our project of the new Polish act on the protection of personal data, public-sector entities will be obliged to inform the public as to how they execute the decisions of the UODO, ordering the removal of the violation of the law. Here we must emphasise the great importance we attach to communication. Digital affairs minister Anna Streżyńska and I give around ten media interviews a week, we hold regular press conferences and meetings. And the existing data-protection office, GIODO, is obliged to educate and to organise workshops. An open public administration for digitisation needs to make services more accessible to citizens, while observing principles of e-privacy, the most important rules, golden measures, checks and balances, and the rights and obligations of citizens and business. Information is the currency of today. We need to weigh the costs and the benefits of any solution intended to provide security to citizens' data.