Implementing the EU’S General Data Protection Regulation – A task for each and every employee
Listing ten facts, Dirk Clemens, Bundesdruckerei's Data Protection Officer, explains the most important aspects of the EU’s General Data Protection Regulation (GDPR). Based on his own practical experience, he will provide some important tips.
25 May 2018 marks the deadline for implementation of the provisions and requirements of the EU’s General Data Protection Regulation (GDPR). These changes affect every organization and require that data protection be reviewed and adapted in its entirety. The following ten facts are important:
Dirk Clemens – Bundesdruckerei’s Data Protection Officer
Fact No. 1: Only a minority of German companies are prepared for the GDPR, according to a recent survey by the digital association Bitkom. Only 13 percent have started or have implemented initial measures, and one in three companies has not yet even looked at the requirements of the Regulation.
My practical tip: The clock is ticking. If you have some catching up to do, you should quickly find out how the GDPR affects your processes and then immediately plan and implement the necessary measures. What’s important is that the critical requirements must be fully implemented by May 2018. These include, for example, accountability and the establishment of a procedure for reporting data protection violations. External consulting to define individual requirements and industry-specific specifications could provide valuable support in this respect.
Fact No. 2: According to the GDPR, accountability is an obligation. The company (as the controller) must demonstrate that it takes appropriate and effective measures to implement the data protection principles and obligations of the Regulation.
My practical tip: Due to the extensive accountability obligations, a data protection management system needs to be introduced. This can be based on established principles from management systems in other disciplines – such as information security according to ISO 27001 or BSI Baseline Protection. According to the GDPR, for instance, the controller must plan, implement, document, review and, if necessary, improve measures while taking context and risk into account. This is essentially what the PDCA (Plan Do Check Act) cycle of any management system does.
Fact No. 3: If you neglect data protection, things will become very expensive for you in the future. Fines will be increased tenfold, and can now amount to up to EUR 20 million or 4 percent of a company’s sales. What’s more, the sanctions framework is much broader and now also includes liability risks for the managing director, internal data protection officer and employees.
My practical tip: In order to successfully implement the GDPR at your company, management and employees must receive extensive training in data protection issues and become more aware about how to handle personal data. This can be achieved, for example, within the scope of a basics workshop conducted by consulting firms such as Bundesdruckerei.
Fact No. 4: A central aspect of the GDPR is the customers’ control over the processing of their data. This also includes the right to information, erasure ("right to be forgotten") and rectification.
My practical tip: Set up data protection processes at your company to implement the rights of those affected. The erasure concepts in existing IT infrastructures must be carefully examined. Central data management and efficient processing procedures are also advisable. The data transferred by the customer, for instance, can be validated in real time – data quality solutions then automatically check that the address and name are correct and complete.
Fact No. 5: The notification obligations if data protection is breached have become much stricter. While reporting was only required in very limited cases in the past – such as professional secrecy or bank and credit card accounts – the GDPR requires all breaches to be reported to the supervisory authority within 72 hours after they have been detected.
My practical tip: Develop a procedure to report data protection breaches within the specified period of time along with the required information. Define the personnel responsibilities from detection to notification. Document the breaches and the measures to be taken in order to remedy them. Train your staff so that data protection breaches are recognized and reported in good time.
Fact No. 6: The data protection officer’s range of duties has been expanded under the GDPR. In addition to informing and advising the company on matters of data protection, the data protection officer is now also required to monitor compliance with data protection rules. What’s more, data protection officers need specific training so that they can continue to perform their job.
My practical tip: With this new task, the data protection officer now belongs to the group of people in charge and this comes with greater personal liability. Careful selection of personnel is called for here. You should select a data protection officer who can prove continuous professional training. Appoint data protection coordinators who can support the data protection officer and are responsible for individual areas of the company. Their task is, for example, to help the specific people in charge with the documentation of central procedures.
Fact No. 7: Products that are not designed in accordance with data protection regulations can be sanctioned.
My practical tip: Develop products or adapt existing solutions according to the data protection principles: "Privacy by Design" and "Privacy by Default". One example of "Privacy by Design" is Bundesdruckerei's cloud solution "Bdrive". This solution is based on a technology concept that safeguards data sovereignty, allows data to be stored and passed on in a confidential manner and ensures a high level of information security and availability. One example of "Privacy by Default" is "verimi", a registration, identity and data platform that is set to be launched at the end of the year. With this platform, users can explicitly decide which data they would like to pass on to partner companies.
Fact No. 8: In future, service providers who process personal data on behalf of a company can also be held liable. For this to apply, the service providers themselves must determine the means and/or the purpose of processing personal data.
My practical tip: Carefully check your contracts for commissioned data processing. Request all agreements from the sales department and ensure that all regulations consider the Federal Data Protection Act up until 25 May 2018 and after that time the GDPR. Set up a company-wide contract management process for commissioned data processing.
Fact No. 9: In order to ensure that personal data is processed in accordance with the GDPR, suitable technical and organizational measures must be implemented in accordance with the state of the art. If this is not carried out, sanctions could be imposed.
My practical tip: Introduce a procedure that regularly checks and adapts your technical and organizational measures to ensure they are up to date. The data protection impact assessment is extremely important. This assessment must be carried out when there is a high risk to the rights and freedoms of natural persons, for instance, with RFID solutions, when health data is processed or with video surveillance. Suitable measures, security precautions and procedures must be implemented for the risks identified.
Fact No. 10: The specialist departments rather than the data protection officer are responsible for documentation of data protection procedures.
My practical tip: Assume a holistic mindset for establishing and ensuring data protection at your company. Data protection is a task for each and every employee, a subgoal of every project and a management task at every company. You can help by providing sufficient resources and budgets and by motivating your employees to actively embrace data protection.
Bundesdruckerei's data protection consultancy service provides information on the EU’s General Data Protection Regulation and the new Federal Data Protection Act. It takes industry-specific requirements into account and responds to the specific needs of customers. The company’s technical experts can help you to set up your data protection management system.