Szymon Cydzik: The Data Protection Council wants to make it easier for companies to comply with the GDPR

The EDPB brings together data protection authorities from all European Union countries (including the Polish UODO). In early July, in Helsinki, it pledged to facilitate compliance with the GDPR by micro, small, and medium-sized organizations. EDPB members have committed to developing common methods, practices, tools, and guidelines, and to regularly reviewing their joint activities.

These planned actions include the development of up-to-date and concise guidelines for micro, small, and medium-sized enterprises, monitoring national guidelines and ensuring coordinated, uniform application of the law, and the development of uniform EU data breach notification forms and checklists. "The EDPB is committed to helping organizations achieve GDPR compliance more easily and effectively. With up-to-date and concise guidance and ready-to-use tools such as a common data breach notification template, checklists, practical advice, and answers to frequently asked questions, we will maintain our efforts to ensure that compliance with GDPR requirements is achievable and accessible to all," said EDPB Chair Anu Talus.

A new approach to personal data protection, taking into account innovation and competitiveness

"These recommendations are currently very general. However, if what they promise actually comes to pass, it could make it easier to comply with the regulations," says Dr. Paweł Litwiński, an attorney at the Barta Litwiński law firm.

Professor Grzegorz Sibiga, an attorney at Traple, Konarski Podrecki i Wspólnicy, points out that the EDPB's Helsinki Declaration is only the first step toward a new approach to personal data protection, one that takes into account innovation and competitiveness, as well as a series of actions to implement this approach. "I have mixed feelings about it. On the one hand, the declaration promises positive measures for businesses that are intended to simplify the implementation of obligations across the EU," the expert explains. "On the other hand, these actions may not meet market expectations for a genuine dialogue with businesses aimed at simplifying and deregulating personal data protection," he adds.

He emphasizes that the EDPB's activities are aimed at protecting fundamental rights, not at balancing the various objectives of the common market. The European Council lacks the experience and competence in this area. Therefore, it should be an important participant in this dialogue, but not its host, as it wishes.

– I see many traps, because ultimately it will still be entrepreneurs themselves who will have to assess whether they are applying the regulations correctly – says legal counsel Jakub Wezgraj.

"They may have additional checklists and similar tools at their disposal, but they will still be making their own assessments based on their own knowledge. I'm concerned about the lack of adequate support for GDPR compliance certification systems, which are, after all, provided for in legislation and should be strongly developed in individual European Union member states. It's one thing to undergo an audit conducted by a specialized entity and receive a certificate of compliance recognized by a supervisory authority, but it's quite another to "inspect" yourself and assume everything is in order," he concludes.

GDPR and business activity: A uniform privacy policy template is needed

He cites the example of businesses selling online, where their goods can be ordered and delivered to several EU countries. Such a company would benefit from the cooperation of supervisory authorities in individual EU countries to develop standardized templates for basic documents to be used across all markets—for example, a uniform privacy policy template.

In addition, there may be specific requirements regarding personal data protection applicable in a specific market (contrary to appearances, the GDPR has not fully unified the principles of personal data processing across the entire EU market; differences are noticeable, e.g. in the principles of personal data processing for marketing purposes).

Many EU countries (including Poland) still lack specific guidelines, for example, on conducting data security risk analysis in smaller organizations. For most businesses, this still represents a real mystery, yet these days, even small online stores must ensure an adequate level of user data security.

“What does an ‘appropriate’ degree mean if the entrepreneur is unable to assess the scale of the risk?” Jakub Wezgraj asks rhetorically.