GDPR in practice - a challenge or a development opportunity?

Is the GDPR implementation conditioned by a real need for changes in data protection, or should it be seen as an example of EU bureaucratisation?

The EU General Data Protection Regulation (GDPR) was created to replace the Data Protection Directive 95/46/EC and represents a significant change in the European data privacy regulations. Obviously, considering the enormous technological developments of the past 23 years, creating a new legal framework was necessary. Data is undoubtedly one of the most valuable business resources nowadays, and companies need to ensure they are able to protect their customers’ information. At the same time, the GDPR is the EU legislators’ response to the apparent need to unify diverse legislation in the EU Member States. Although it will be impossible to avoid a certain level of difficulty in implementing the new regulations, the GDPR will enable data harmonisation, thus increasing consumer confidence and strengthening the market position of a company, especially in the cyber insurance sector.

The GDPR will come into force on 25th of May. Are companies ready for implementation of the new regulations?

In recent months, many studies have been carried out to assess the level of companies’ awareness of the upcoming changes. Most of the resulting reports prove that many enterprises are not ready to deal with the GDPR challenges and, in spite of the fact that awareness of the GDPR is quite high, especially among IT specialists, the level of preparation for the new regulations is much lower. Moreover, some companies seriously underestimate the impact the GDPR will have on their business operations. There is a noticeable division between large and small enterprises, especially considering the volume of expected enquires and the number of databases that will have to be reviewed. According to the numerous reports, more than half of all companies are not certain of where all their data is stored, and expect difficulties in finding such data across all possible datasets.

In my opinion, companies should pay closer attention to locating and properly defining databases in order to avoid further problems regarding their obligation to respond to all clients’ requests within 30 days. Companies should also be extremely aware of the severity of financial fines that may be imposed as a result of misunderstanding the implications of non-compliance with the GDPR. According to the degree of non-compliance, enterprises can be fined up to EUR 20 million or 4% of their annual worldwide turnover. What is important is that the above-presented fines for non-compliance with the GDPR apply to both data controllers and data processors.

What are the main challenges of the GDPR regulations for IT industry companies and how can they be addressed?

With technological development progressing apace and an increasing amount of information being collected, IT companies should be extremely aware of the requirements of the new EU legislation. The growing popularity of bulk data collection and the increasing number of digital technologies such as big data and cloud computing make it necessary for companies to find the tools to ensure cybersecurity.

To minimise the risk of non-compliance and to avoid the financial fines mentioned above, IT companies should definitely overhaul their IT or customer data systems and prepare a data protection system that is fully compliant with the GDPR. It should also be mentioned that rules incorporated into the GDPR require affirmative consent for the placement of tracking cookies on customers’ Internet browsers. Due to the specificity of the IT sector and its wide range of client categories, IT companies will face a problem of informing users about appropriate data protection measures, especially if we consider partnership agreements and our partners’ clients, often completely unknown to us.

What is important is that under the GDPR regulations the consent conditions have been simplified. Clients’ requests should now be written in plain language, without the use of legalese or illegible forms, and withdrawal of consent should be as simple as expressing such a wish.

What about the territorial scope of the new EU regulations? Does the GDPR only affect companies based in the EU?

The territorial scope of the GDPR and its jurisdiction have been expanded to take into account the global nature of business operations. What should be underlined is that the new law applies to all companies collecting and processing the personal data of EU-based consumers, regardless of the location of the company. Therefore, the GDPR will affect a large number of international businesses providing services in the field of non-EU online services. The GDPR regulations allow data transfer to states in which the level of personal data protection is deemed by the EC to be “adequate”. It should be noted that the activities of EU companies holding and processing the personal data of non-EU citizens are also covered by the new legislation. Companies processing the data of EU citizens but operating outside the EU are obliged to appoint representatives in the EU.

Does the GDPR actually mean the unification of private data protection regulations within the EU? Can we view the new legislation as beneficial for entrepreneurs?

The advantages of the new legislation are undeniable, especially for large international corporations, which aim to conquer new markets. With the introduction of unified regulations throughout the whole European Union, companies will no longer need to consult lawyers and local specialists in the protection of personal data to ensure national legal compliance. Ipso facto, the entrepreneur will no longer have to deal with separate data protection legal systems.

On the other hand, based on the existing legislation, the rules on consent for the collection of biometric or sensitive data in one country may totally differ from those in another. The GDPR rules will also make data protection more restrictive and facilitate enforcement of the regulations. Obviously, there is a risk that countries have retained too much freedom concerning GDPR implementation, which may lead to many attempts to circumvent the new law, as happened in the case of European e-invoicing regulations. Despite the unification of e-invoicing rules, some countries have created their own regulations. This fact raises some doubts concerning the application of the law. Hopefully, in the case of GDPR implementation, any similar worries will prove groundless.

About Bartlomiej Wójtowicz

He has over 10 years of experience in the field of B2B communication in the supply chain. Initially responsible for the EDI market development in Central Europe, he is currently responsible for the development of Comarch BU E-INVOICING portfolio – a platform which allows the user to automate the supply chain and invoicing processes. A comprehensive approach to both internal and external communication with all partners (suppliers, customers, logistic operators, service providers), including the exchange of the product, commercial, logistic or financial data.

About Comarch

Founded in 1993, Comarch has more than 20 years of experience in designing, implementing and integrating IT solutions for enterprises in a variety of industries, including retail, consumer goods, DIY, logistics, manufacturing, pharmaceuticals, and oil and gas. Solutions for data exchange and document management are dedicated to master data management, e-procurement, e-invoicing and AP/AR processes. Comarch is a true end to end procure to pay solution provider. Moreover, the offer comprises a B2B network that guarantees reliable data transmission with more than 100 000 entities worldwide in a short time. Comarch is cooperating with companies such as Metro Systems, Carrefour, Leroy Merlin, BP, BIC, Unilever, Rossmann, Valeant, Valeo, and Technicolor.