Greetings from Brussels!

This week I had the opportunity to address the growing Polish privacy community at the inaugural IAPP Warsaw KnowledgeNet (or "KNet," for the initiated). I have to say, what a gem of a city. I was fortunate to have some down time to explore the old town and found it to be delightful. Although, rather than being centered exclusively on the old market square, the capital is spread across a broad area with diverse architecture: restored Gothic, communist era remnants, as well as the modern skyscrapers of glass and steel. Quite the fusion for a city steeped in historical landmarks. I couldn’t help but feel a sense of the city’s rebirth, a renaissance for modern times.

The inaugural KNet was hosted by CMS Poland at the Warsaw Business Club Centre. Our two co-chairs, Marcin Lewoszewski, Senior Associate of CMS Poland, and Joanna Brylikowska, DPO at Provident Poland, did a truly remarkable job in organizing the event. Interest in the event was strong, and we ended up with a full house of 135 delegates. The event was also held under the patronage of the Polish DPA — Inspector General for the Protection of Personal Data  — which was welcome, and demonstrates their emphasis on encouraging dialogue with business.

The center piece of the half-day program was a panel chaired by Lewoszewski on the important challenges for businesses and the regulator in relation to the implementation of the GDPR. The panelists included Piotr Drobek, deputy director of Social Education and International Cooperation at the GIODO; Maciej Kawecki, political adviser at the Cabinet of the Minister of Digital Affairs; and Magdalena Piech, an independent data protection expert.

Throughout the discussion, there were a number of questions put to the audience through a live polling facility that I think would be insightful to share. Firstly, 20 percent of the privacy pros who attended the event were of the opinion that Polish business will need at least 18 to 24 months to be fully prepared for the changes resulting from the GDPR. Over 64 percent surveyed estimated that the necessary changes will take their organizations approximately 12 months, while 16 percent of respondents believed that half a year will be sufficient. This is quite significant considering that the GDPR comes into force in about 14 months.

The majority of privacy pros (77 percent) believed that making business decisions on new investments both domestically and elsewhere in the EU would be influenced by the perceived level of severity of the applicable data protection laws in a given market, as well as the attitude of the applicable supervisory authority. Lewoszewski had this to say: “Personal data is a significant driver for business activity, and thus it is of specific practical importance how the GIODO will operate in the future, and to what extent the local law will limit the possibilities granted under the GDPR. For instance, obtaining consent from employees for processing their personal data and how discrepancies between the EU regulation and the national acts will be interpreted.” The issue of consent for obtaining personal data from employees, such as access to criminal records and biometric data, highlighted divisive opinion in the room: Fifty-four percent believing that businesses should be able to collect data on employees’ criminal records, while 46 percent were opposed. In Poland, it is not permitted under the current legal system to collect such data, which is particularly important for verticals such as the financial sector and the R&D sector.

Clearly privacy pros are keen to see how far, and how swiftly, Poland will go in repealing the existing national acts in favor of the GDPR. As voiced by many of the conference participants, the current lack of national implementing legislation, which would clarify the EU guidelines, poses an additional challenge for Polish businesses to adapt to the new requirements. Additionally, it was mentioned that this could be an important factor affecting the assessment of Poland’s attractiveness for foreign investment. Like elsewhere in the EU, privacy pros are equally vigilant as to what the local DPAs are saying in terms of guidance while keeping a watchful eye on the sometimes Herculean task of repealing national law where applicable.