05_Are you prepared for a new approach to protection of your clients’ personal data?

On May 24, 2016, an EU Regulation amending the Personal Data Protection Act entered into force. The regulation is used directly, therefore it is a binding law for all entrepreneurs (and it will replace also the provisions of the Polish Data Protection Act). Currently, entrepreneurs have time to fully implement the requirements of the Regulation until 25th of May 2018.

The General Data Protection Regulation (“GDPR”)harmonises the protection of personal data in the territory of the European Union. The regulation will affect all areas of the company’s business where data are processed, and its requirements will have to be taken into account, among other things, in:

  • the sales area – while acquiring the customer data and consent to use data and using multichannel sales (omni-channel) to maintain the customer relationship (customer profiling);
  • the after-sales service – in customer data flows inside the organisation for day-to-day handling of the contract, claims, debt collection, invoicing, settlement and data flows to external partners (outsourcing of services, regulatory requirements, e.g. BIK, UFG);
  • the support area – during data processing in IT systems, analysing customer data for risk assessment, developing new products (Big Data), customer profiling, the preparation of dedicated marketing campaigns (Marketing) or acquisition of new partners/suppliers in the purchasing process;
  • the back office – during the assessment of operational risk (Risk), ensuring the operation of the organisation in compliance with the GDPR (Compliance), audit of internal processes, mitigation of the risk of data leakage from the systems (Systems security), detection of data leakage (HR and Security), security of HR data of own employees and associates.

A number of new obligations has been imposed on data processing companies, primarily the increased information obligations. Information about what data and for what purpose are collected, who is the data controller, what entities can receive the data and the rights of the data subjects should be provided in a concise, clear and easily accessible form, using a simple and understandable language. It is therefore extremely important to consider personal data protection as early as in the solution design phase, including IT solutions.

Companies have to implement the GDPR requirements until 25 May 2018. Alignment of procedures to the regulation within the deadline is extremely important as the violation may involve a fine of up to 20,000,000 EUR or 4% of the annual turnover of the company.

 

More about GDPR at: pwc.pl/rodo