GENER AL DATA PROTECTION REGULATION – RESULTS OF A PILOT STUDY

The article focuses on the social aspects of the GDPR implementation. Paper presents the results of a study conducted in 2018, after the introduction of legislative changes. The study was exploratory and its aim was to find out how administrative employees evaluated and feels about GDPR. The survey was conducted as an online survey questionnaire. The article presents the results of the study, initial conclusions after its implementation, and a proposal for further research. systems. It is the modern technological progress, changes within the specifics of information processing as well as the appearance of new telecommunication products (Budziewicz-Guźlecka, 2009), which imply the necessity of introducing new and effective legal regulations in the protection of personal data (Sakowska-Baryła, 2016, p. 127).


Introduction
The beginnings of the discourse on the protection of personal data date back to the 19th century, while the first legal regulations in this area began to appear in Europe already in the 1970s (Jatkiewicz, 2015, p. 11). Significant challenges in creating legal regulations for data protection date back to the beginning of the 1990s, when the methods of manual collection and preservation of information began to be gradually replaced by electronic Vol. 28/2, 4/2018 General Data Protection Regulation -results of a pilot study The subject of research interest in this article are the social aspects of the entry into force of the GDPR, and the main goal is to get to know the opinions of administrative employees on the subject of the GDPR and related procedures.

Methods
In July 2018, that is after the entry into force of the changes under the GDPR, a pilot exploratory survey was carried out, in which the employees of the university administration (from one faculty) and the educational institution took part. The study consisted of two stages: the first part was of a quantitative nature and was carried out in the form of an online survey questionnaire via the www.ebadania.pl website. The questionnaire contained two types of questions: closed single-choice questions and semi-open questions, in which respondents had the opportunity to develop a response in the form of a comment. Queries were sent to all administrative employees within the surveyed units (a total of 41 inquiries) and the return of correctly completed questionnaires counted 23 polls. The study was anonymous and voluntary, and its results serve scientific purposes, which the respondents were informed about. In the second part, a qualitative study was carried out in the form of interviews with selected employees (5 in total). The article presents the results of the survey, initial conclusions after its completion as well as proposals regarding the direction of further research.

Results
The study shows that the attitude of respondents to the fact itself of introducing the GDPR is diverse, and respondents' answers are distributed quite evenly as it is shown in Figure 1. It is also worth mentioning that respondents replied that in the institution where they work there were trainings on the subject of the GDPR, in which all the respondents participated. However, most of them declare rather moderate knowledge about the regulation. Data regarding this issue are presented in Figure 2.
It is visible, that the majority of respondents positively evaluate their knowledge about GDPR, but only 2 people have found it as "high". Further research should verify why, despite the participation in training, the respondents do not feel fully competent. This question was asked in a qualitative study, which the authors devoted to a separate article. Another issue that has been addressed in the survey is the attitude of respondents to the possibility of expanding their knowledge about the GDPR in the future. Figure 3 presents the distribution of responses. The majority of respondents declare their willingness to broaden their knowledge about GDPR, which can be considered as a positive manifestation and expression of openness to change. However, research on the reasons for this state of matter should be deepened, as it may result both: from the willingness to constantly improve their competences, as well as from difficulties in finding themselves within the maze of regulations. This might be especially important due to the fact, that a significant number of respondents had difficulty assessing the clarity of the new regulations (as you can see in Figure 4).
On the other hand there are positive signals as only a small number of people declared that they have experienced fears in relation to the GDPR. This is presented in Figure 5. Also only a small number of respondents declared that after the entry into force of the Regulation they experienced problems resulting from it ( Figure 6). However, it is worth noting that over 30% of respondents had difficulties to determine whether they were afraid of the consequences of non-compliance with the Regulation. This issue, as well as an attempt to explain this attitude, was undertaken and described in a more detailed way in a separate article.
Vol. 28/2, 4/2018 General Data Protection Regulation -results of a pilot study  The conducted study clearly indicates that the majority of the administrative employees covered by the survey did not encounter additional difficulties in their work after the introduction of the General Data Protection Regulation. However, the results indicate that the GDPR for some of them was a source of a problematic situation. The respondents in the open question could indicate the type of difficulty implied in their work by GDPR. This issue was later on analyzed in a qualitative study. As the main serious problem, the respondents most often reported a longer working time due to the necessity to implement measures in line with the new regulation, as well as some admitted that they had difficulties in taking lawful actions tailored to specific situations.

Maciej Czaplewski, Anna Modzelewska-Stalmach, Malwina Popiołek
The results of the survey indicate that currently more than half of the respondents are not afraid of the consequences of breaking the regulation, while some people have difficulties determining their attitude in this regard. During free, in-depth interviews, the employees of the administration declared, that initially they were afraid of the scale of changes, sanctions resulting from failure to adapt to new procedures, as well as from extension of working time in connection with new duties. In the examined institutions, additional, detailed instructions were implemented, and some activities within the organization were systematized. The respondents pointed out that despite the initial anxiety their work did not change radically.
Among the most important changes, the respondents most often indicated the necessity to appoint a personal data administrator, as well as the implementation of data protection instructions processed both electronically and traditionally. Data encryption instructions, protection of computers and mobile devices containing personal data as well as physical protection in enclosed cabinets have been introduced. Interlocutors paid attention to the fact that they collect information in a minimal scope, serving only statutory and educational purposes. An important role in a smooth adaptation to changes and in reduction of employee uncertainty after the implementation of the new regulations is provided by trainings on the GDPR issue, in which each of the respondents participated. The interlocutors particularly positively evaluated by those trainings having application values and practical information tailored to the specifics of the industry in which they work.

Conclusions
The entry into force of the GDPR aroused numerous controversies. Regulation infringement may involve the imposition of sanctions and high financial penalties on the entity processing the data, amounting to as much as 20 million EUR or 4% of the total global turnover from the previous year, with a higher amount (art. 83 point 5 of the GDPR). Many organizations, especially small and medium-sized enterprises, expressed concerns about possible sanctions, as well as a lack of understanding of some provisions or awareness of the scale of changes and the consequences of failure to adopt measures to adapt procedures to the new legal order (Sumińska, Postuła, 2017, p. 116 ).
The conducted research indicated a diverse attitude of the administration employees towards the introduction of the GDPR adapted to the European Union legislation. Most of the respondents positively assessed their state of knowledge about the new regulations, and it is worth noting that all respondents took part in at least one training on the implementation of practices consistent with GDRP. We can also see the openness of administration staff to broaden knowledge about the ways and possibilities of personal data protection, which is reflected in the declarations of participation in training and the will to expand knowledge in the aforementioned scope. It is worth noting that the employees did not report any major problems resulting from the adaptation of their own activities after the entry into force of the Regulation, except extended working hours and an occasional problem in the selection of right actions to a specific situation. Despite the discourse in the media on the possibility of financial sanctions, the majority of respondents are not afraid of penalties resulting from non-compliance with the regulation.
The results presented in this article are only exploratory in nature and signal the most important areas for further analysis, indicating new and important fields for potential future research. The issue of GDPR implementation has various social contexts (it can even cause digital exclusion (Budziewicz-Guźlecka, 2010), depending mainly on the type of organization and the method of data processing. In order to better understand the problem, the authors