At the beginning, there is a kick-off meeting to launch the project. All stakeholders should meet, i.e., in addition to IT, data protection officers and, where applicable, employee representatives, in particular also management. Contents:

• discussion and, where necessary, adaptation of the existing data protection concept in the sense of a “mini data protection audit”,
• launch of data protection management, assigning of responsibilities, transfer to corporate or group structure,
• setting priorities for action.

Objective: stocktaking, in particular with regard to

• types of personal data,
• purposes and legal bases of data use,
• number of employees involved in the processing,
• IT landscape, data backup, authorization concept, virus protection, etc.,
• existing IT security measures (technical and organisational security measures) and their actual use

Result and start of implementation:

• assignment of tasks in the team,
• roadmap for implementation of the identified measures,
• prioritization of tasks.

After the kick-off meeting, further regular meetings should follow according to the agreed timetable, where necessary also by telephone or video conference.

Documentation is (almost) everything! There are extensive information and disclosure obligations regarding the individuals whose personal data are processed (the “data subjects”) relating to

• type of data,
• legal basis of processing,
• purpose and duration of the processing,
• transfer to third parties etc.

The data subjects must be instructed and have, for example, a comprehensive (short-term) right to data access and to object. These obligations can only be realistically met if all the processing steps involved are clearly documented and up-to-date at all times, i.e., if it is even known which data have been stored where or to whom they have been transferred.

• appointment of a (possibly external) data protection officer (where applicable, for all companies in the group)
• customer data protection, i.e., applicability control and, where required, declarations of consent
  online data protection, in particular checking and updating data protection declarations and necessary declarations of consent, as well as website health check and online marketing check (possibly address trading, etc.)
• setting up contract management, in particular updating sample contract data processing contracts, e.g., for the use of cloud services or creation of internal / external declarations of consent, see below.

Current IT and software services are increasingly and in some cases exclusively being offered as cloud services. This means that data will not remain within the company, but will be distributed among a large number of service providers, as in the example. Here it is necessary to keep the overview (with the assistance of a processing directory) and above all to place the data transfer to any third party on a legal secure basis. This is the case with agreements on contract data processing, on which the GDPR imposes more difficult conditions, especially when suppliers from outside the EU are involved.

Data protection and IT security does not only mean the implementation of technical measures. An essential component is the correct conduct of employees. They need to be trained, made sensitive, managed and included in the measures. Suggestions:

• create processing directory together with employee
• drafting of a corporate privacy policy
• employees’ voluntary commitment to data protection
• declaration(s) of consent to employee data protection and works agreement(s)
• definition of a concept for necessary employee training courses

Data security is IT security. Cyber security and GDPR conformity go hand in hand. Briefly said: The Regulation places comprehensive requirements on IT security, risk assessment that is up-to-date at all times and state-of-the-art security measures (technical and organisational measures).

The work is not done with establishing a data protection-compliant state, however; it is an important stage victory, but not more. Due to the company’s obligation to provide evidence and the reversal of the burden of proof pursuant to the GDPR, it must be ensured at all times that the above requirements are met on an ongoing basis. Regular updating of documentation and measures is mandatory, see e.g.

• implementing and updating of data protection concepts and technical and organisational measures
• monitoring current developments in data protection law and identifying the resulting need for action
• monitoring of processing changes in the company
• appointment of a contact person for emergencies, e.g., to notify data subjects in the event of “data breakdowns”

It is advisable to maintain the meetings, e.g., as a jour fixe, on the status of implementation and monitoring, initially at shorter intervals and later at longer intervals.