Conscience examination of GDPR application

• The General Data Protection Regulation (GDPR) is valid in Poland for 4 years, but many organizations still make mistakes in their application.
• Many violations result from reliance on outdated regulations or misunderstanding the definition of personal data!
• The effects of errors can be minimized thanks to Cyberpolis and D&O insurance.

– I would like to remind you that all institutions, organizations and companies, public and private, are obligated to apply the principles of the General Data Protection Regulation. Despite years of practice, even the best still make mistakes in applying universal European rules. Most often they relate to three areas: the creation of documentation, the understanding of the definition of personal data and the application of rules in accordance with the law. Unfortunately, mistakes can mean high fines, and sometimes even threaten liquidity – says Jagienka Smura, GDPR and information security advisor at Lancea Security Consulting

3 most common data protection errors

1. Rely on outdated rules

According to the General Data Protection Regulation (GDPR), each organization must have a record of processing activities, which contains a description of data security methods, that is, in legal language – a description of technical and organizational security measures. It should, of course, be consistent with the principles implemented in 2018. Moreover, every organization is obligated to carry out a risk analysis that will help in adjusting the level of data security according to the requirements. However, in practice, these documents often contain the outdated rules by EU regulation, that is, according to the security policy and IT system management instructions. The content of these documents is worth nothing – formally and technically.

The rules derived from the Security Policy and IT System Management Instructions are regulations from about 15 years ago. The most important thing is the technological aspect. The way all data is stored and processed, including personal data, has changed dramatically. Not so long ago, most documents were created on paper and stored in an armored cabinet. Today, all these processes have been digitized. This means that we are dealing with a different kind of leakage risk, which is additionally much greater than in times of paper dominance. In this case, cybersecurity plays a leading role – explains Szymon Bąk, cyber insurance specialist at EIB SA

2. Misunderstanding the definition of personal data

Another problem is the misunderstanding of data definition. As a result, some information is considered irrelevant, and practically all human data must be protected. The false pattern also had its origin in the past – in Poland, prior to 2004, only identifying information was considered personal data. According to the definition in the General Data Protection Regulation, personal data is all information relating to an identified or identifiable natural person. This means that it is not just about first name, last name, date of birth, gender and the like. Personal data also includes, for example, information about real estate or vehicles owned.

This is where the technological thread comes in. The identification of personal data under the General Data Protection Regulation (GDPR) also includes … images. Is it possible to post it freely on social media? This information is shared publicly, regardless of whether the people in the photo are identifiable or not, so it is protected. The same applies to other information shared in the company’s public profile on social media, in which we mention employees, business partners and customers. In this case, it is worth considering whether we really have to publish these photos from company meetings, conferences, exhibitions, as well as from company life?

3. Unlawful processing of personal data

Errors also appear as a result of formal complications. For data processing to be legal, it must meet the conditions set out in specific Articles of GDPR – 6 and 9. So where can it go wrong? By using them separately. Article 6 is the basis, and 9 is only its appendix, in the case of private data, the so-called “sensitive”.

– This is a problem that has been replaced by many data inspectors in organizations. If the company follows the wrong model, it is necessary to correct the information items and reformulate the record of data processing activities. If this content is incorrect, a heavy penalty can be expected in case of inspection. Awareness of this error is entering Polish practice very slowly. This is also the case, unfortunately, also in the case of applying outdated rules when creating GDPR documents and understanding the definition of personal data. Changes in law and technology are happening faster than we realize. So all establishments should follow the times so as not to run into fines – says Jagienka Smura of Lancea.

Life belt insurance?

You see, even the best of them make mistakes. However, you can protect yourself from their effects by using appropriate insurance. The basis of the protection program should be insurance against the effects of electronic accidents (due to the fact that, as a rule, we store and process data electronically). They enable, among other things, funds to be disbursed to cover the costs of securing and recovering digital assets in the event of a leak as a result of a hacking attack or human error. However, and most importantly, the insurance covers the costs of the actions required by the GDPR in the event of such an event, i.e. conducting a media campaign among the potential victims of the leak. In addition, it provides for the reimbursement of costs related to administrative and court proceedings and the payment of compensation. In general, the e-policy may also include payment of fines imposed under the General Data Protection Regulation (GDPR).

– A well-organized protection program should take into account another type of policy – D&O, that is, the civil liability of members of the management team and, finally, irregularities in the creation of documents, identification and processing of personal data in accordance with the law are usually the result of an incorrect decision made by a particular person. Therefore, the owners of the company or the shareholders may file lawsuits against the decision-makers who want to assign responsibility for the losses to them. For example, they can expect to pay administrative penalties or compensation for other damages resulting from a GDPR incident. D&O insurance will provide “accused” managers with defense costs, in addition to these losses, if they are found to be due to the negligence of those responsible – adds Szymon Bąk of EIB SA