Few people had probably expected that if Max Schrems were to make his first appearance in Poland it would be at a conference called “GDPR benefits for business”. And yet that was the case. The huge success of the conference held by DAPR was due to the speakers who were mostly GDPR practitioners who work with it on a daily basis.
The talk that proved to be the most popular was definitely the one by Max Schrems, the Austrian lawyer who has twice achieved the rescission of agreements between the European Union and the United States before the courts on the grounds of privacy protection. You might have thought that he was trying to make businesses’ lives harder, but once you had listened to his talk it became clear that he was not. He started off by saying that he is a technology enthusiast, and he likes it a lot. He is in favour of its development. Both issues can go side by side. He emphasized that we have the right to privacy – and it is not going to disappear. If we are entitled to it, then why not demand that it is obeyed? Why would we turn a blind eye? Privacy protection is a field that can grow alongside not just technology but also business.
Businesspeople who respect data subjects’ rights will be competitive in terms of quality. That was one of the issues raised by many speakers. You can engage in trash marketing and violate privacy, but you will not be treated seriously. Yet you can take a different approach: grow your business according to the rules and improve your image and reputation. It is down to businesses to choose whether they want to benefit from the GDPR or fight it.
The conference was attended by several dozen speakers, and each one gave a talk. It would be hard to describe them all, but it is worthwhile to sum up the key business benefits they discussed.
First of all, know your business.
Effective implementation of the GDPR requires business knowledge. If you implement the GDPR through a weekend offer you bought online, you are not going to gain much from it. However, if you start with an audit of your organization, you can get to know your business. Similar stories came up again and again: implementing the GDPR enabled getting to know organizations step by step, department after department, document after document. As a result, managers learned about the processes within their businesses, often for the very first time. They could find out how to better protect personal data and streamline business processes in general.
Secondly, security.
The GDPR requires businesses to take appropriate care of personal data. These can be found in almost any department, including finance. Not only will raising staff awareness in terms of cyber threats through training, investing in new safeguards and so on let you meet GDPR requirements and protect personal data; it will also improve the security of the company know-how and financial information. More effective personal data protection increases business safety (against fines and criminals).
Thirdly, investments.
The GDPR is a good reason to invest in your business. Investments can be made at various levels. The conference participants had a chance to listen to an excellent story about how, thanks to the GDPR, a company which was still operating as if it was the 1990s got an instant update to modern times. It replaced its equipment and software, invested in new CRM solutions, and moved to the cloud. It bore the financial cost, but gained in terms of operations, organization and security. The GDPR is then a good argument in favour of investing in the company for IT departments which lack the funds for security, or for marketing departments wishing to take more ambitious actions in line with privacy regulations.
As you can see, there are quite a lot of benefits for business. This has been noted by GDPR practitioners. The fact that these benefits are often overlooked in public perception, especially in business, may stem from the narrative accompanying the GDPR. In this regard, it is worthwhile to recall the talk by Mirosław Sanek (former Vice-President of the Polish Personal Data Protection Office), who emphasized that the GDPR is not only about protecting personal data but also about the free movement of such data. He pointed out that the negative narrative (focusing on a stick instead of a carrot) surrounding the GDPR was developed by companies which made their profit on the fear of fines among businesspeople, instead of building general awareness. As can be seen, the GDPR has been in force for a few years now, and no business has been brought down by the fines. It is then worth changing the narrative from analysing the amount and frequency of fines to focusing on the objective of the GDPR that is building awareness.
If you want to see Max Schrems’ statement, go to our YT channel.
Subscribe if you want to see the rest of the lecture. We will be publishing all of them there. You’ll also find there a lot of video content on GDPR and Legaltech.
We also invite you to watch the DAPR channel on LI and the channel of Mikołaj Otmianowski, legal counsel, the originator of the event.
I