Maciej Zawadziński: Complying with the requirements of GDPR can be quite challenging. In your opinion, how are Polish companies doing in that area in general? And how are they doing when looking only at digital marketing?
Mikołaj Otmianowski, Legal Counsel and vice president at DAPR: I think awareness of GDPR in Poland is very high. The challenge is in its practical application. It looks different for companies, depending on their size and business area. A practical example: even in places like small-town hotels, you have to give consent to data processing if you want to rent a room. That shows that awareness is high. People know about GDPR and even try to comply with it.
Narrowing the issues with GDPR to marketing operations, if we equate online marketing only to cookies, I think there is still a lot of work to do in this area in Poland. But it is getting better, primarily due to good practices coming from other countries through group supervisory companies. Big players set the example for SMEs. I think this snowball effect of compliance is gaining momentum, although for now, it is relatively the size of an ice cream scoop. The main challenge, however, is that cookies in Poland are, in principle, regulated by the Telecommunications Law, not by GDPR. And the competent authority is the telecommunications authority, not the data protection authority.
Maciej Zawadziński: In the last four years, the Polish DPA hasn’t imposed such enormous fines for non-compliance with GDPR as other European authorities. But 2022 was a year of record-high penalties for Poland. Is this a growing trend? Can we expect more penalties in the future?
Mikołaj Otmianowski: From my perspective, we can expect more penalties in the future. But let’s remember that a financial penalty is supposed to be the last resort. It is supposed to be a deterrent, but also has to be adequate. The idea is to punish the controller and not destroy their business. However, we can see that the authority is taking steps in the right direction. What is particularly interesting is their initiative to evaluate compliance of mobile apps in 2022.
I think that the lack of guidelines and training from the DPA is one of the biggest challenges for controllers and processors, especially for small and medium-sized businesses. In Poland, we look up to offices from France, Germany and Spain and try to adapt our behavior to their guidelines.
Maciej Zawadziński: US BigTech is struggling with GDPR compliance. DPAs in France, Spain and Ireland have imposed gigantic fines on many US tech organizations. What is the Polish DPA’s stance on BigTech? In your opinion, will there be any action taken against companies such as Google or Facebook?
Mikołaj Otmianowski: There is no official position from the Polish DPA on the BigTech issues. I think that the lack of guidelines and training from the DPA is one of the biggest challenges for controllers and processors, especially for small and medium-sized businesses. In Poland, we look up to offices from France, Germany and Spain and try to adapt our behavior to their guidelines. Even though there may not have been fines levied against Google or Facebook in Poland, it is worth noting the proceedings the DPA is conducting against VINTED. It could be an interesting case.
Maciej Zawadziński: The Polish website ChronPESEL.pl and the National Debt Register recently conducted a survey where they asked Poles if they knew how to ensure the security of their personal data, among other things. As much as 90 percent of the respondents confirmed that they do. How do you feel about the outcome of this research? Are Poles really that good with securing their personal information?
Mikołaj Otmianowski: It’s a typical research problem. If the interviewers asked the participants if they knew how to secure their data, I expect many of them would be embarrassed to say that they don’t. Some may not be aware that they can’t.
I get the impression that every so often, we can read another story in the media where someone got scammed by a fake love interest or something like that. Even though this isn’t about phishing, but rather extortion of money, the pattern is the same. With the training on the implementation of GDPR at workplaces, people are learning how to protect their data. Although knowledge is spreading, there is still a fair amount to do in this area.
Maciej Zawadziński: Let’s narrow down user privacy to the area of online marketing. What actions do Poles take, and what software do they use to protect their personal information?
Mikołaj Otmianowski: I would distinguish between actions taken to protect user privacy and personal data. For example, an entity may ensure full security of data but process a great deal of personal data and violate privacy. I’d say that Poles opt for a standard solution, like privacy mode in the browser, when it comes to using privacy software.
For data protection, they may choose to set up alerts that will inform them about an attempt to steal their credit card data. I doubt it goes beyond that.
Polish entrepreneurs are vendors of the world’s top solutions for email marketing, cookie management and data analytics. I think more and more companies realize that complying with GDPR is a business opportunity and a competitive advantage.
Maciej Zawadziński: The global privacy technology market has been on the rise for some time now. Is the privacy tech sector well developed in Poland?
Mikołaj Otmianowski: The privacy market is growing at a dizzying pace. Using GDPR management software as an example, there is talk of annual growth of 30% to 40%. There are quite a few new types of software to assist administrators in managing GDPR compliance. Polish entrepreneurs are vendors of the world’s top solutions for email marketing, cookie management and data analytics. I think more and more companies realize that complying with GDPR is a business opportunity and a competitive advantage.
Maciej Zawadziński: Recently, DAPR launched a new app, called RED INTO GREEN (RIG). Could you tell us a bit more about it?
Mikołaj Otmianowski: RIG is a piece of software dedicated to organizations that want to comply with privacy laws, particularly GDPR. It has been designed for data protection officers and their teams. The application allows for performing and updating risk analyses under GDPR. It also enables its user to run data breach risk assessments, legitimate interest assessments, keep all the required registers and much more.
Key RIG features are ERP system class reports, linkages, and automation of data management in the application. On top of that, it offers a verified methodology of risk estimation, which allows for adjusting the level of analysis to the needs of the organization.
Currently, we are working on synchronizing GDPR risk analysis with cybersecurity. Integration should be ready by the end of this year.
Four years into GDPR
How EU businesses have responded to the new privacy compliance challenge
Legal Counsel, DAPR sp.z o.o.
Mikołaj’s professional experience includes many years of work as a legal advisor in Poland and abroad, a department director in listed company Polimex-Mostostal, as well as in his own law firm and several legal-tech startup projects. Mikołaj is also the Chairman of the Legaltech Commission at OIRP Warszawa.
His extensive legal knowledge, a passion for legal tech, and the ability to connect the right people have led to the creation of the methodology employed by the REDINTOGREEN tool. This methodology has a significant impact on the comfort and quality of the work of data protection officers. Currently, he is focusing on cybersecurity issues in organizations.