Purpose: The purpose of this article is to illustrate how the General Data Protection Regulation GDPR), which came into force in 2018 in Polish legal system, affects protection in the scope of collection, processing, storage and transfer of personal data in IT systems supporting production. Design/methodology/ approach: Because production control systems are based on the identification and analysis of human and machine resources behaviour, a significant impact of recent legal regulations on automation of manufacturing processes is perceived. However, according to GDPR, the data enabling unambiguous identification are protected. Findings: Resource recognition is not only important for the scheduling of production activities, but also for event logging. Research limitations/implications: It should be noted that both the allocation of human resources, taking into account the boundary conditions for the execution of tasks and the substitutability of individual employees, as well as reporting the efficiency and effectiveness of production, requires the unambiguous identification of people. It is carried out by means of one or several factors that physically, mentally, economically or socially describe the resource. Practical implications: Since the coordination of the company's production activities requires the processing of data describing human resources, taking into account the aspect of their security, it is necessary to create a new business model, which is the subject of research presen-ted in this document. Originality/value: Ensuring the security of data in the IT system, in addition to user authentication to resources, means also protection against accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed. When making decisions about the application of certain security measures, it is necessary to take into account the value of the data and the effects that the infringement may cause.