Day May 25, 2018 A new EU Regulation on the protection of personal data (the so-called "Data Protection Regulation") will come into force in Poland this year. RODO). So there is little time left to prepare your company for the changes resulting from RODO.
The factoring industry is a fully professional industry, comparable to banking. Even before RODO came into force, it was standard to apply personal data security policies. It should therefore be assumed that all factoring companies are in the final stages of adjusting to the new data protection requirements and adopting and implementing appropriate procedures. However, certain aspects of RODO specific to the factoring industry may have escaped. Let's look at the new regulations from the factoring side. What should he pay special attention to?
- It will certainly be necessary to prepare from scratch consent to personal data processing to meet the requirements of the RODO (detailed definition of the planes of data use, clarity and precision, understandable language, instruction on the right to voluntarily withdraw consent, unchecked boxes of acceptance in advance, etc.);
- Such consent will have to be re-granted by factoring companies in most cases, unless the previously used consent exhausted the requirements of RODO;
- Those factories that operate on automation of the decision-making process on invoice financing and apply automatic algorithms in this regard must remember that we are then dealing with profiling regulated in detail by the RODO. The RODO in paragraph 71 of the Preamble explicitly gives an example of profiling as, for example, "automatic rejection of an electronic credit application." In addition to obtaining precise consent, I would recommend introducing a human decision-making factor prior to any invoice financing to avoid full profiling. In the case of full profiling - very precise prior consent is required pursuant to Article 22 (2) (c) of the RODO;
- Factors that are companies (i.e., theoretically not subject to RODO regulations) from the point of view of the factor, however, in practice, they get hooked on RODO regulations due to the data of individuals present in the company structure. In this situation, it seems reasonable to create a single security policy without splitting it between individuals and companies;
- Each large factor should independently assess whether to appoint a Data Protection Officer and an Information System Administrator based on a risk analysis. It seems that this would be a recommended action, especially since so far many factories have had an ABI in their structure. Failure to appoint a DPO in place of an ABI would then be difficult to defend;
- Where this has not happened so far - it is also advisable to change the infrastructure in offices and introduce appropriate security measures (file cabinets and keyed drawers; biometric access to selected rooms; a safe, etc.);
It is also worth noting that the RODO recognizes the processing of personal data concerning the economic situation of an individual (including an entrepreneur) as processing of personal data that may lead to potential physical harm, property damage or non-property damage that may constitute a risk of violation of a right or freedom (vide: paragraph 75 of the RODO Preamble).
From an employee perspective, RODO will be onerous - another policy to read, sign, training and perhaps a clean desk and screen policy - if it hasn't already been followed.
Practice will show how onerous the new regulations will become, and how onerous the controls. An undoubted advantage of the regulations is their uniformity for the entire EU, which makes it especially easy for multinational corporations.
These are only selected aspects of the regulation under discussion, of which there are many more in practice.