THE GENERAL DATA PROTECTION REGULATION (GDPR) is IN FORCE since 25 MAY 2018. If not just yet done, WHY DO I HAVE TO TAKE ACTION?
A lot has changed in comparison to the provisions of the Federal Data Protection Act. Accountability is a key principle of the GDPR. This means that companies have to document and prove their compliance with data protection provisions to a much greater extent. As a result, internal data processing has to be reorganised or entirely reimplemented. This includes processes of data access, erasure concepts, purpose definitions etc. Impending fines and, above all, the actual level of fines are substantially increased. Data security requirements are also stricter, liability for non-compliance is being tightened, and the likelihood of non-compliance risks is increasing as a result of the approval of “class actions”.
WHOM DOES IT CONCERN? ALMOST EVERYONE WHO PROCESSES PERSONAL DATA. AN EXAMPLE:
Take, for example, a medium-sized manufacturing company with numerous B2B suppliers and sales partners and a direct B2C web shop. The company has a small IT department of its own, but uses widely used cloud services from local and international providers to reduce costs. The works council, suspicious of all technological innovations, is concerned about privacy protection of employees. Consequently, there are a lot of personal data in various processes and several players involved.
WHAT SHOULD THIS COMPANY DO NOW TO COMPLY WITH THE NEW DATA PROTECTION LAW?
The following steps are useful for the planned, step-by-step development of the necessary processes and tools:
At the beginning, there is a kick-off meeting to launch the project. All stakeholders should meet, i.e., in addition to IT, data protection officers and, where applicable, employee representatives, in particular also management. Contents:
- discussion and, where necessary, adaptation of the existing data protection concept in the sense of a “mini data protection audit”,
- launch of data protection management, assigning of responsibilities, transfer to corporate or group structure,
- setting priorities for action.
Objective: stocktaking, in particular with regard to
- types of personal data,
- purposes and legal bases of data use,
- number of employees involved in the processing,
- IT landscape, data backup, authorization concept, virus protection, etc.,
- existing IT security measures (technical and organisational security measures) and their actual use
Result and start of implementation:
- assignment of tasks in the team,
- roadmap for implementation of the identified measures,
- prioritization of tasks.
After the kick-off meeting, further regular meetings should follow according to the agreed timetable, where necessary also by telephone or video conference.
Documentation is (almost) everything! There are extensive information and disclosure obligations regarding the individuals whose personal data are processed (the “data subjects”) relating to
- type of data,
- legal basis of processing,
- purpose and duration of the processing,
- transfer to third parties etc.
The data subjects must be instructed and have, for example, a comprehensive (short-term) right to data access and to object. These obligations can only be realistically met if all the processing steps involved are clearly documented and up-to-date at all times, i.e., if it is even known which data have been stored where or to whom they have been transferred.
- appointment of a (possibly external) data protection officer (where applicable, for all companies in the group)
- customer data protection, i.e., applicability control and, where required, declarations of consent
online data protection, in particular checking and updating data protection declarations and necessary declarations of consent, as well as website health check and online marketing check (possibly address trading, etc.)
- setting up contract management, in particular updating sample contract data processing contracts, e.g., for the use of cloud services or creation of internal / external declarations of consent, see below.
Current IT and software services are increasingly and in some cases exclusively being offered as cloud services. This means that data will not remain within the company, but will be distributed among a large number of service providers, as in the example. Here it is necessary to keep the overview (with the assistance of a processing directory) and above all to place the data transfer to any third party on a legal secure basis. This is the case with agreements on contract data processing, on which the GDPR imposes more difficult conditions, especially when suppliers from outside the EU are involved.
Data protection and IT security does not only mean the implementation of technical measures. An essential component is the correct conduct of employees. They need to be trained, made sensitive, managed and included in the measures. Suggestions:
- create processing directory together with employee
- employees’ voluntary commitment to data protection
- declaration(s) of consent to employee data protection and works agreement(s)
- definition of a concept for necessary employee training courses
Data security is IT security. Cyber security and GDPR conformity go hand in hand. Briefly said: The Regulation places comprehensive requirements on IT security, risk assessment that is up-to-date at all times and state-of-the-art security measures (technical and organisational measures).
The work is not done with establishing a data protection-compliant state, however; it is an important stage victory, but not more. Due to the company’s obligation to provide evidence and the reversal of the burden of proof pursuant to the GDPR, it must be ensured at all times that the above requirements are met on an ongoing basis. Regular updating of documentation and measures is mandatory, see e.g.
- implementing and updating of data protection concepts and technical and organisational measures
- monitoring current developments in data protection law and identifying the resulting need for action
- monitoring of processing changes in the company
- appointment of a contact person for emergencies, e.g., to notify data subjects in the event of “data breakdowns”
It is advisable to maintain the meetings, e.g., as a jour fixe, on the status of implementation and monitoring, initially at shorter intervals and later at longer intervals.
I will accompany you in all these steps, assess the legal conformity of the status quo, advise on the scope of adaptation needs and support the implementation. Proven and tested checklists and procedures as shown will guarantee your success.
That is a lot of work, especially in the short time that is remaining. But there are also advantages to this process: the creation or improvement of appropriate IT security, risk reduction overall, and the protection of particularly sensitive data of the company and customers and partners. This is an essential asset and possibly a unique selling point in your competitive environment.