RODO and data security: how to approach it?

Today’s reality processes a mass of customer data and their various behaviors: internet usage, knowledge of where they like to hang out, what they eat, etc. The RODO Act, or the General Data Protection Regulation, was created to protect users’ data and reduce the risk of hacking attacks. It applies to all businesses that process data and subject them to profiling. How to find your way through the maze of complexities and ambiguities associated with RODO?

The entry into force of RODO on May 25, 2018 may have been perceived as a “clerical nuisance,” but in fact its intention was to increase the security of data processed in businesses and to strengthen the rights of people who share their data, in including personal data. RODO is an adaptation of Polish law to the standards of European Union law. Although it has been more than a year since the regulation was introduced in Poland, many issues still need to be clarified.

RODO in practice: what data are we talking about?

RODO or GDPR (from General Data Protection Regulation) is an EU legal regulation that has given users more control over their data. These are structured data, i.e. those in databases, and unstructured data, collected on all sorts of media, webmail, mobile devices, etc. It is therefore necessary to protect data and devices, i.e., to create a coherent IT infrastructure to enable such activities. There are penalties for non-compliance with the law up to the equivalent of 20 million euros or up to four percent of a company’s annual turnover. The penalty, of course, depends on the size of the company in question, its turnover – a small company will not be fined the same amount as a large enterprise. At the time of punishment, consideration is given to the nature, severity and duration of the breach, motivation (whether it occurred intentionally or unintentionally), categories of data breached, and “steps taken by the controller or processor to minimize harm to data subjects.”

RODO Law. New consumer rights regarding data processing

The most important thing RODO has to do with the consumer’s consent to process information. What does this mean?

• any user consent must be voluntary, and lack of consent must not mean that the data holder will suffer negative consequences because of it
• There is a need to simplify the wording of consents in the data protection sections of and place them so that they are visible and readable by all. The user has the right to revoke consent
• There is also the right to be forgotten, i.e. the user can request the deletion of his data from any databases, servers, devices
• The user also has the right to change the information and to transfer the data to another administrator
• The user must be consciously informed not only that he or she consents to data processing, but also that his or her data will be profiled. Profiling is the collection of information about a consumer based on his or her online behavior. The company should explain in detail what it needs personal data for and why profiling is being used.

Privacy by Design and Privacy by Default

These two provisions are part of the RODO regulation (Article 25) and apply to those entrepreneurs who intend, for example, to open an online store or design an app.

1. Privacy by Design – the controller of personal data (“the authority, organizational unit, entity or person deciding the purposes and means of processing personal data”, and in the case of business, it is the entrepreneur himself) should already at the design stage of his business take into account the protection of user data and security measures adequate to the manner, purpose and nature of processing. Data can, for example, be pseudonymized, their amount minimized and, of course, users must be able to see them.
2. Privacy by Default – default data protection, that is, meeting the required level of security. For example, if you run a online store and put a product inquiry form on the site, let there be only basic fields to fill in, and not, for example, name, date of birth or other sensitive data, etc. Only those data are needed here, that are necessary to complete the order. This provision also says that we should not implicitly share personal data with an unspecified number of people, if this is not done at the request of the data subject. This provision also indicates not to store data for too long.

Telecommunications companies, according to Article 159 of telecommunications secrecy, protect:

1. user data;
2. content individual communications;
3. data transmission;
4. location data;
5. data on connection attempts.

RODO at ITH.EU

As a telecommunications company, we place special emphasis on protecting customer data and we know what we use it for. Network security is a priority for us, which is why we offer the ITH Security service, in which we offer auditing and monitoring, network protection, cloud firewall and VPN. We invite you to use the services of our specialists.