What is GDPR and how to implement data protection?

In a global economy where data flows without borders and trust becomes a key currency, data protection has ceased to be a local concern and has become an international standard. At the heart of this revolution is the GDPR (General Data Protection Regulation). This is a landmark piece of European Union legislation that has redefined the rules of the game, giving citizens unprecedented control over their data and imposing specific, strict obligations on companies.

For Polish businesses, especially those operating internationally, understanding and implementing GDPR is absolutely crucial. It is not only a legal requirement, but also the foundation for building credibility and trust among customers and partners across Europe. Ignoring these rules means risking not only severe multi-million dollar fines, but also loss of reputation and going out of business. In this guide, we will explain what the GDPR is, how it relates to the Polish RODO, its fundamental principles, and how, step by step, to implement a robust data protection system in your company that will not only comply with the law, but become a real competitive advantage.

What is GDPR (General Data Protection Regulation) and why does it also apply to Polish companies?

GDPR, or General Data Protection Regulation (in full, Regulation 2016/679 of the European Parliament and of the Council (EU)), is an EU regulation that went into effect on May 25, 2018, introducing revolutionary and unified data protection rules across the European Union. Its overarching goal was to strengthen the rights of individuals to control their data, and to impose strict obligations on organizations (both companies and public institutions) related to data processing.

One of the key features of the GDPR is its legal form – it is a regulation, not a directive. This means that its provisions apply directly in all EU member states, including Poland, without the need for implementation into national legal order. Polish companies must comply with the GDPR regulations in exactly the same way as companies in Germany, France or Spain. The regulation replaced an earlier 1995 directive, which was implemented differently by individual countries, leading to inconsistencies. GDPR created a single digital market in terms of data protection.

Moreover, the GDPR is extraterritorial in nature. This means that its provisions apply not only to companies based in the EU, but also to organizations outside the EU that offer their goods or services to individuals located in the EU or monitor their behavior. In practice, if a Polish company processes personal data of its customers, partners or employees, who are individuals, it absolutely falls under the GDPR regime.

What are the key differences and similarities between the GDPR and the Polish RODO?

In everyday business language in Poland, the terms “GDPR” and “RODO” are often used interchangeably and in most cases mean the same thing. This coincidence is due to the fact that both abbreviations refer to the same piece of legislation – EU Regulation 2016/679.

RODO is simply the Polish acronym for Personal Data Protection Regulation. It is a direct, colloquial translation of the English General Data Protection Regulation. So, from the perspective of content and obligations, there are no differences between the GDPR and RODO, as it is the same legal document. The principles, definitions, rights of individuals and obligations of administrators described in the GDPR are exactly the same rules that Polish companies are familiar with under the name RODO.

Minor differences and additions may arise at the level of the Polish Data Protection Act. The GDPR, despite being a directly applicable regulation, leaves some room for member states to clarify certain issues in national law (the so-called margin of discretion). The Polish law regulates, for example, issues related to the functioning of the national supervisory authority (the President of the Office for Personal Data Protection – DPA), the age from which a child can independently consent to online services, or data processing in the context of an employment relationship.

In summary, it is crucial for the Polish entrepreneur to understand that RODO is the Polish name for GDPR. The substantive core of obligations, such as the principles of data processing, the need for a legal basis, information obligations or the breach notification procedure, follows directly from the text of the EU regulation and is identical throughout the European Union.

Why is non-compliance with GDPR a risk of multi-million dollar fines?

One of the most media-savvy and effective mechanisms that have forced companies to prioritize data protection is the extremely high financial penalties under the GDPR. The regulation introduced a two-tiered system of administrative fines, which are intended not only to be severe, but also to be a deterrent. Their amount is unprecedented in the history of privacy regulation.

The first, lower penalty threshold, is a maximum of €10 million or up to 2% of the company’s total annual worldwide turnover from the previous fiscal year, with the higher amount applying. Penalties from this threshold can be imposed for violations of the obligations of the controller and processor, such as failure to properly maintain a register of processing activities, failure to implement appropriate technical and organizational measures, or failure to properly enter into a processing entrustment agreement.

The second, much higher threshold is a maximum of €20 million or up to 4% of total annual worldwide turnover. This category of fines is reserved for the most serious violations, such as violations of fundamental principles of data processing (e.g., processing data without a legal basis), violations of data subjects’ rights (e.g., the right to be forgotten), or failure to comply with supervisory authority orders. The amount of the penalty is determined on a case-by-case basis and depends on a number of factors, including the nature and severity of the violation, the number of affected individuals, the degree of fault and cooperation with the supervisory authority. Such severe financial penalties make ignoring the GDPR a huge and unacceptable risk for any company.

What are the fundamental principles of data processing under the GDPR that every business must know?

The GDPR is based on several fundamental principles, enshrined in Article 5 of the regulation, which constitute a kind of “constitution” of personal data protection. Every company’s data processing must comply with these principles, and every entrepreneur and manager should know and understand them, as they form the basis for assessing the legality of all actions on data.

Principle of lawfulness, fairness and transparency: Data must be processed legally (on one of six legal bases, e.g., consent, contract), and the process must be fair and fully transparent to the data subject. Purpose limitation (purpose limitation) principle: Data can only be collected for specific, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes. Data may not be collected “for backup.”

Data minimization principle: The company may only process data that is adequate, relevant and limited to what is necessary for the specified purpose. Collection of redundant information should be avoided. Principle of correctness: Data must be correct and updated as necessary. Every reasonable measure must be taken to ensure that inaccurate data is promptly deleted or corrected.

Storage limitation principle: Data can be kept in personally identifiable form only as long as necessary for the purposes for which it is processed. After that time, they must be deleted or anonymized. Integrity and confidentiality principle: Data must be processed in a manner that ensures its adequate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical and organizational measures. The final, overarching principle is the principle of accountability, which states that the data controller is responsible for compliance with the above principles and must be able to demonstrate this.

7 Data Processing Rules (GDPR Art. 5)

1. Legal compliance, integrity and transparency: operate legally and report what you do.
2. Purpose limitation: Collect data only for a specific, predetermined purpose.
3. Data minimization: Collect only as much data as absolutely necessary.
4. Correctness: Ensure that the data is correct and up-to-date.
5. Storage limitation: Store data only as long as needed.
6. Integrity and confidentiality: Protect your data from loss, destruction and unauthorized access.
7. Accountability: Be able to prove that you follow all of the above rules.

What technical and organizational measures are necessary to ensure GDPR compliance?

GDPR requires companies to implement “appropriate technical and organizational measures” to ensure data security and compliance. The approach is risk-based, meaning that the level and type of safeguards should be appropriate to the scale, nature and context of data processing and the risk of infringing on the rights and freedoms of individuals.

Technical measures are specific technological solutions to protect data. Among the most important of these are:

• Encryption: both data at rest (on server and laptop drives) and data in transit (transmitted over the network using TLS/SSL protocols).
• Access control: Implement strong authentication mechanisms, including multi-factor authentication (MFA), and enforce the principle of least privilege.
• Network security: Use of firewalls, intrusion detection and prevention systems (IDS/IPS) and network segmentation.
• Endpoint protection: Use advanced antivirus software (EPP/EDR) on all workstations and servers.
• Regular creation and testing of backups (backup): Ensure that data can be quickly restored in the event of a disaster or attack.

Organizational measures, on the other hand, are policies, procedures and activities not directly related to technology that build a security culture within a company. These include:

• Policies and Procedures: Have a documented Data Protection Policy, incident response procedures, procedures for handling data subjects’ rights, etc.
• Training and awareness building: Regular training of all employees on data protection and cyber security.
• Supplier management: Implement procedures for vetting subcontractors and enter into appropriate data processing entrustment agreements with them.
• Classifying information and managing the data lifecycle: Defining what data is confidential and implementing procedures for its secure disposal after the retention period.
• Regular audits and testing: Cyclical verification of the effectiveness of implemented measures through internal audits and penetration tests.

How does transparency and GDPR compliance build trust with international customers?

In a global market, where customers and business partners come from different countries and legal cultures, GDPR compliance has become the universal language of trust and credibility. For international customers, especially those in Western Europe, high data protection standards are no longer a “nice-to-have” but a fundamental expectation. A company that can demonstrate that it takes the GDPR seriously and professionally sends a strong signal that it is a mature and responsible partner.

Transparency, which is one of the key principles of the GDPR, plays a huge role here. A clear and understandable privacy policy, clear information about what data is being collected and for what purpose, and simple and effective procedures for exercising users’ rights (e.g. to delete data) build a positive experience and a sense of security. Customers are more likely to entrust their data to a company that does not hide anything in convoluted legal jargon, but openly communicates how it cares about their privacy.

GDPR compliance is also becoming a key competitive factor in B2B relationships. Large multinational corporations, themselves subject to stringent requirements, are conducting detailed audits of their suppliers and subcontractors. The ability to demonstrate GDPR compliance, for example by being ISO 27001 certified or presenting the results of security audits, is often a prerequisite for cooperation. A Polish company that can boast a mature data protection system has a much better chance of winning contracts from global players than competitors that treat the subject in a low-key manner.

Finally, a robust GDPR implementation minimizes the risk of security incidents and data leaks that could have catastrophic consequences for a company’s reputation internationally. News of a breach spreads globally in a matter of hours, and rebuilding trust with customers in different markets is extremely difficult and costly. Investing in GDPR compliance is therefore an investment in your global brand and long-term customer relationships.

How to conduct a data protection impact assessment (DPIA) required by the GDPR?

A Data Protection Impact Assessment (DPIA) is a special process required by the GDPR to systematically identify, analyze and minimize risks to the rights and freedoms of individuals associated with new or modified data processing. A DPIA is only mandatory if a particular type of processing, by its nature, scope, context and purposes, is likely to result in a high risk of violation of the rights or freedoms of individuals.

Examples of situations that almost always require a DPIA include systematic and comprehensive profiling that leads to decisions with legal consequences, large-scale processing of sensitive data (e.g., health data), or large-scale systematic monitoring of publicly accessible places (e.g., advanced video surveillance). The European Data Protection Board and national supervisory authorities (such as the DPA) publish lists of types of processing operations for which DPIA is mandatory.

The process of conducting a DPIA should be structured. It begins with a detailed description of the planned processing operations, including the purposes, the data being processed and the entities involved. This should be followed by an assessment of the necessity and proportionality of these operations in relation to the objectives. A key element is the identification and assessment of risks to data subjects’ rights and freedoms (e.g., risk of discrimination, identity theft, financial loss).

For each identified risk, measures should be planned to minimize the risk. These can be additional technical safeguards (e.g., pseudonymization, encryption), process changes (e.g., shortening data retention periods) or organizational measures (e.g., additional training). The result of the entire process is a document (DPIA report), which provides evidence of the analysis and measures taken to protect the data. If the risk remains high despite the mitigation measures, the company is obliged to consult with the supervisory authority before starting processing.

When is a company required to appoint a Data Protection Officer (DPO) under the GDPR?

The Data Protection Officer (DPO) is a key role in the data protection system, acting as an internal expert, advisor and point of contact. The GDPR precisely defines in which situations it is mandatory for a company or institution to appoint a DPO.

According to Article 37 of the GDPR, the appointment of a Data Protection Officer is mandatory in three cases. First, when the processing is carried out by a public authority or entity. This rule applies to virtually the entire sphere of public administration, with the exception of the courts in their administration of justice.

Second, the obligation to appoint a DPO arises when the main activity of the controller or processor consists of processing operations that, due to their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale. Examples include telecommunications companies monitoring network traffic, insurance companies profiling customers for risk assessment purposes, or analytics companies tracking user behavior online.

Third, a DPO must be appointed when an organization’s core business involves large-scale processing of special categories of personal data (so-called sensitive data, as defined in Article 9 of the GDPR, e.g., data on health, racial or ethnic origin, political views) and data on criminal convictions and offenses (Article 10 of the GDPR). Thus, the obligation applies primarily to hospitals, clinics, pharmaceutical companies, and other entities whose business model relies on sensitive data. Even if a company does not meet the statutory prerequisites, it can appoint a DPO voluntarily, which is seen as good practice and an expression of concern for data protection.

How to properly manage data processing consents and user rights (e.g., to be forgotten)?

Managing consent and realizing the rights of data subjects are among the most important operational challenges associated with GDPR. Properly addressing these issues is not only a legal requirement, but also a key element of building a transparent and trusting relationship with customers.

If a company processes data on the basis of consent, it must meet a number of strict conditions. Consent must be voluntary, specific, informed and unambiguous. This means that default checkboxes cannot be used. The user must actively take action to give consent. What’s more, the consent must be for a specific, clearly defined purpose (e.g., a separate consent for a newsletter, a separate one for participation in a contest). The company must be able to prove at any time that it has obtained valid consent. It is equally important to ensure that the user can easily and simply withdraw his or her consent at any time, and the process must be no more complicated than giving consent.

The GDPR grants individuals a number of rights, and the company, as a controller, is obliged to create procedures for their smooth exercise. The most important rights include the right to access data, the right to rectification, the right to erasure (“the right to be forgotten”), the right to restrict processing, the right to data portability and the right to object. The company must have an internal procedure that specifies how to receive, verify and respond to such requests, generally within one month. It is essential to train employees, especially those in contact with customers, on how to recognize and handle such requests.

What is the procedure for reporting data breaches to the relevant supervisory authorities in the EU?

One of the key obligations imposed on controllers by the GDPR is a data breach notification procedure. It is a formalized process with short deadlines, and its purpose is to allow supervisory authorities to control the situation and protect the rights of those affected by the breach.

In the event of a personal data breach, the controller, without undue delay – and if possible, no later than 72 hours after the breach is discovered – is obliged to report it to the competent supervisory authority. In Poland, this is the President of the Office for Personal Data Protection (UODO). If the administrator fails to make the notification within this timeframe, he or she must attach to the notification an explanation of the reasons for the delay. It should be emphasized that the obligation to report arises only if it is likely that the violation resulted in a risk of violation of the rights or freedoms of individuals.

The breach notification should contain at least some key information. It should describe the nature of the breach, including, if possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach. Contact information for the Data Protection Officer or other point of contact should be provided. You must also describe the possible consequences of the breach and the measures taken or proposed by the controller to remedy the breach, including measures to minimize its possible negative effects.

For companies with cross-border operations, notification is made to the so-called lead supervisory authority, which is usually the authority from the country where the company has its main business unit in the EU. The whistle-blowing procedure requires having internal procedures in place beforehand so that in a crisis situation you can act quickly, efficiently and in accordance with legal requirements.

What to look for in contracts with subcontractors (processors) outside the European Union?

Working with subcontractors outside the European Union who process personal data as part of their services (e.g., U.S. cloud service providers, customer service centers in India) involves specific requirements and risks in the context of the GDPR. In principle, the regulation prohibits the transfer of personal data outside the European Economic Area (EEA), unless an adequate level of protection of the data is ensured.

First of all, as in the case of EU subcontractors, it is necessary to conclude a detailed data processing entrustment agreement in accordance with Article 28 of the GDPR. However, this is not enough. For a data transfer to be legal, it must be based on one of the transfer mechanisms provided for in the regulation. For many years, the most popular mechanism for transfers to the US was the so-called Privacy Shield, but this was invalidated by the EU Court of Justice in 2020 (Schrems II ruling).

Currently, the most commonly used mechanism is Standard Contractual Clauses (SCCs). These are model contracts approved by the European Commission that must be included in a contract with a non-EEA subcontractor. Signing an SCC imposes a number of obligations on both parties to ensure that data is protected at a level similar to that of the EU. Importantly, after the Schrems II ruling, simply signing an SCC is not enough. The company transferring the data (the exporter) is required to conduct a Transfer Impact Assessment (TIA), in which it must verify that the law and practice in the destination country do not undermine the guarantees contained in the SCC (e.g., that the country’s public authorities do not have too much access to the data).

If the assessment shows that the risk is too high, the company must implement additional safeguards, such as strong encryption (including encrypting data during processing) or advanced organizational measures. Other, less commonly used transfer mechanisms include the European Commission’s adequacy decision or binding corporate rules (BCRs) for intra-group transfers. Managing data transfers outside the EEA is one of the most complex and risky areas of GDPR compliance.

How can nFlo’s comprehensive services, from cybersecurity audits to implementations, support your company in achieving GDPR compliance?

Achieving and maintaining GDPR compliance is a process in which a solid technological foundation and a mature cybersecurity strategy play a key role. At nFlo, we fully understand that regulatory requirements must be translated into concrete, working solutions in the IT infrastructure. Our comprehensive portfolio of services is designed to support organizations in building the secure and resilient environment needed to effectively protect personal data.

Our support begins with audit and consulting services. We help conduct a detailed risk analysis and assess the adequacy of existing technical safeguards. We verify the configuration of networks, access control systems, encryption mechanisms and backup procedures, identifying gaps that may be in violation of GDPR Article 32 requirements. The result of our work is a roadmap with specific technical and organizational recommendations to help you strengthen your security posture.

Based on the audit results, our engineering team helps implement and manage key security technologies. We design and implement secure network architecture, deploy advanced firewalls (NGFW), endpoint protection (EDR) systems and strong authentication (MFA) mechanisms. Our IT infrastructure management services ensure that your systems are always up-to-date, monitored and properly secured, which is key to the principle of data integrity and confidentiality.

Finally, we help companies prepare for the worst. Our penetration testing verifies the real-world resilience of your systems to attacks, and our incident response planning and business continuity plan development services ensure that, in the event of a breach, you will be able to respond quickly, effectively and in compliance with legal requirements. When you choose nFlo, you get a partner with the unique combination of legal and organizational expertise and deep technical knowledge necessary to ensure real, not just paper, GDPR compliance.