New Technologies and Protection of Personal Information

The number of potential threats that stem from the use of cyberspace is continually increasing. The development of new technologies generates gaps in data protection systems that businesses use. Due to the volatility of these processes, it is impossible to create a uniform catalogue of adequate protections. The existing laws and regulations are not aligned with the current development of new technologies. Businesses must face numerous threats resulting from the use of public networks, cloud data storage, mobile applications for smartphones and tablets, and the use of portable memory devices. In many companies, the lack of basic procedures and processes leads to recurring data leaks.

The law imposes numerous responsibilities on businesses, which process personal information. Taking into consideration the knowledge on data protection tools and procedures as well as costs of implementation at a given time, Personal Data Administrators (PDA) may choose any protection instruments, providing that these tools will ensure the level of security appropriate to the type of threats and the type of data that, by law, must be protected. However, the Polish Personal Data Protection Act does not provide a detailed catalogue of procedures that PDAs should implement to fully protect electronic information. The European laws and regulations also lack a detailed and complete catalogue of requirements, whose implementation would mean that a company meets the minimum data protection standards in cyberspace.

A comparison of the requirements imposed by the law makers with the protections used by many Polish businesses leads to the conclusion that the methods implemented by companies are inadequate and insufficient. One of the reasons for this situation is that the law imposes uniform metrics on all administrators, regardless of the size of business and its legal entity. It may suggest that microbusinesses, sole proprietorships and big public trading companies should implement the same means of data protection. Although these different types of businesses have different operational and financial resources available for data protection solutions, they are equally obligated to protect information in cyberspace.

PDAs do not receive any support from the law makers in the form of detailed guidelines indicating, which electronic data protection tools and procedures are necessary to implement. Therefore, they must rely on their own knowledge and be familiar with the existing information technology solutions, when selecting adequate methods of data protection.

These issues are becoming especially important in the context of the upcoming regulation prepared by the European Parliament and the European Council, which will become law in 2019. The regulation will impose on PDAs the responsibility of including the newest technological solutions for personal information protection and the costs of their implementation not only at the time of their application, but also the responsibility of ensuring an adequate budget as well as appropriate operational and technical procedures, throughout the whole time the data is administered by the company. Such phrasing highlights the need for PDAs to stay current with the new developments in the Information Technology field. The new regulation also obligates PDAs to constantly monitor new threats to personal information and to be familiar with available tools that would prevent such threats. The regulation stresses the duty of PDAs to constantly expand their professional knowledge and to stay vigilant.

Undoubtedly, in the light of the upcoming EU regulation, the issue of personal data protection will become a significant challenge for Polish businesses. One of the crucial outcomes of the EU reform will be an introduction of stricter penalties for business owners, who will not follow the new regulation while collecting and sharing personal information. The new requirements, related to staying current with the new technologies, imposed on the administrators of personal information, will urge many business to create PDA positions. This will allow business owners to delegate personal data protection responsibilities to employees qualified in this field. The new requirements will also ensure professional development of PDA personnel according to the regulations.