General Data Protection Regulation
On 25 May 2018, the General Data Protection Regulation is to come into effect. Are companies prepared for this deadline? What support is available to them during implementation? Time to talk to Susanne Dehmel, member of the Legal & Security management of Bitkom, the German Association for Information Technology, Telecommunications and New Media e. V.
Considerable uncertainty among companies
Ms Dehmel, why should companies now take a close look at the General Data Protection Regulation (GDPR)?
Susanne Dehmel: An important deadline is drawing near: As of 25 May 2018, all data processing entities in Germany are obliged to have implemented new requirements for processing personal data. From this day on, the so-called risk-based approach adopted in the Regulation will also apply. And this has consequences for every company that processes data – in other words, for all companies.
GDPR expert: Susanne Dehmel, member of the Legal & Security management of Bitkom, the German Association for Information Technology, Telecommunications and New Media e. V.
Are companies in Germany suitably prepared for this deadline?
Susanne Dehmel: Our surveys paint a different picture, showing that up to now every third company has ignored the GDPR. There are many reasons for this. The cost of implementation, for instance, is impossible to calculate and the deadline is too short, or the tools needed for implementation are lacking. There is considerable uncertainty among companies around 100 days before the Regulation comes into effect.
What exactly is changing?
Susanne Dehmel: Up until now, there was a catalogue that defined which measures companies had to take to ensure secure data processing. This is set to change in May when companies processing data will be required to identify the risk to data subjects, classify this risk and implement appropriate measures to protect the data subjects. If the risk to data subjects is high, a detailed assessment of the impact must be carried out and, where appropriate, further protection measures must be taken. What’s more, companies not only have to design their data processing to comply with data protection regulations, they must also be able to document this compliance. A privacy impact assessment is prescribed for high-risk data processing.
What do you recommend to companies?
Susanne Dehmel: First of all, companies should take a close look at their data processing . Then, they should check whether they have procedures, methods and tools on which they can rely to comply with the requirements of the GDPR. They can then create synergies and do not have to set up each process from scratch. Finally, adequate technical and organizational measures must be determined.
Where do you see pitfalls?
Susanne Dehmel: In short, that is very difficult to say. One example, for instance, is that the EU legislator repeatedly refers to the risk to the rights and freedoms of the data subjects, but the GDPR does not contain any precise definition of the term risk. It does not describe what the legislator understands to be a risk or a high risk. It is also unclear which procedural models will be accepted by the supervisory authorities. In principle, we will have to ensure that the majority of companies can also meet the requirements.
What kind of practical help is available to companies?
Susanne Dehmel: In co-operation with our "Data Protection" working group, we have published the guideline on the "Risk Assessment & Data Protection Impact Assessment" in accordance with the GDPR. This guideline provides a detailed description of how companies can meet the requirements of the GDPR and adapt their risk management to the Regulation. It also contains a list of the nine most important steps that companies should now take. This includes getting top management on board, defining responsibilities, analysing and assessing risks and finally monitoring and reviewing them.
Ms Dehmel, thank you very much for taking the time to talk to us.
The Bitkom guide can be downloaded here free of charge: