The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. It has a direct impact on every company, regardless of how many employees a company has.
Above all, due to the significantly increasing risks of fines and loss of reputation as well as the threat of future claims for damages by affected persons, a data protection risk analysis relating to the entire company and the individual business areas is necessary.
1. Compliance with data protection regulations from now on a "matter for the boss
The management of the company (AG board, association board, managing director, owner, etc.) now bears the overall responsibility for data protection according to the GDPR and thus also the responsibility for the implementation of the GDPR.
The organisational responsibility exists in particular with regard to the implementation of the GDPR by means of instructions or policies (avoidance of organisational negligence).
The management of the company must ensure the proper monitoring of data protection-relevant company processes by installing sufficient control mechanisms and control systems (avoidance of monitoring failure). It must also ensure the provision of the necessary financial, material and human resources for the implementation of the GDPR as well as for the further data protection organisation required after the GDPR implementation phase. The management must arrange for the introduction of a data protection management system and ensure its permanent maintenance and updating by sufficiently qualified persons.
The management must also ensure the appointment of a data protection officer if this is required by law. However, even if there is no legal obligation to appoint a data protection officer in the company, the management must ensure that there is sufficient data protection expertise or know-how in the company. If this expertise is not available in the company, it must be "purchased" externally. At least the installation of a sufficiently qualified "data protection coordinator" is mandatory in every company.
The company management has the responsibility and duty to ensure that data protection risks are avoided in the company by setting up process, product and technology design and by setting up deletion concepts, etc.
The management must ensure that the transparency and information obligations according to the DGSVO as well as the guarantee of data protection rights according to the DSGO are ensured. Processes for data protection information, information, deletions, corrections, data portability, objections, data breaches and the right to be forgotten must therefore be created and documented.
2. Data protection inventory
In order to be able to implement the aforementioned points, each company must first take stock of the existing data protection-relevant processes in the company (determination of the "current state").
The following tests, among others, are required for this purpose:
- Review of existing personal data processing procedures (for example, procedure directories, prior checks, data protection concepts, notification procedures).
- Examination of company agreements containing regulations on employment data protection
- Checking whether the processing and use of personal data is carried out with the necessary permission. Checking the legal bases and/or consents on the basis of which the data processing is carried out
- Review of existing documentation on data protection (for example, guidelines, manuals, training materials).
- Reviewing the consent texts used so far, the contracts for commissioned processing, the templates for requests for information, etc.
- Review of all data protection statements on homepages and in online shops
3. Determination of the concrete need for action
After taking stock and determining the "current state" of data protection in the company, the concrete need for action and the "target state" to be achieved in the company must be determined. In particular, the increased accountability and the risk-based approach of the GDPR must be taken into account. In this phase, it is therefore necessary to check at which points in the company there is a need for change with regard to the new legal regulations.
4. Implementation of the necessary measures
Once the necessary measures to implement the GDPR have been identified, the necessary adjustments must be made.
These include in particular:
- Installation of a data protection management system that meets the requirements of the GDPR
- Adaptation of all data protection processes and structures in the company
- As an elementary point, the existing procedure directories must be revised and adapted to the new legal regulations. Although there are exceptions for smaller companies so that they do not have to create a procedure directory under certain circumstances, the GDPR now obliges companies to have a data protection management system, as already mentioned. In the future, companies must not only ensure that data protection requirements are met, they must also prove and document this. In order to comply with this requirement, a company must first know, list and document all data processing activities. For this reason, we believe that every company must have a data processing register, as otherwise it cannot be proven which data is processed in the company and how. We are therefore of the opinion that every company, regardless of whether it is legally obliged to do so or not, must create a register of processing activities in accordance with the GDPR.
- Creation of a data security concept. Also for the area of data security, according to the GDPR, every company must prove that "appropriate technical and organisational measures" are used to protect the data subjects and their data.
- Creation of new data protection statements on websites and in online shops
- Determination of the legal bases and the purposes of the data processing in accordance with the GDPR
- Adaptation of existing declarations of consent and justification of processing operations to the GDPR
- Determination of measures and development of model documents to ensure and document compliance with data protection information obligations and data subject rights
- Developing and documenting a data breach response plan
- Creation of a permanent training system, i.e. staff training, obligation of staff to data secrecy
5. Conclusion
In summary, with regard to the GDPR, which will be directly applicable on 25.05.2018, every company must act.
Every company must introduce a data protection law management system in the company with regard to the GDPR. Data protection law under the GDPR is designed as a data protection compliance regime. This means that constant consultation and adaptation of the data protection law documents in the company will be necessary. The topic of data protection in the company, which has been treated stepmotherly up to now, must therefore be given more attention in the future.
This applies in particular with regard to the significantly increased threats of fines. The current fines of up to a maximum of € 300,000.00 have been increased to up to € 20 million or 4 % of the global group turnover of the previous year. In addition, there is personal liability of company owners, managing directors and/or board members under certain conditions.
Therefore, every company must now take action as quickly as possible, prepare for the GDPR and, if necessary, seek advice from sufficiently qualified personnel.
Our firm has several lawyers and specialist lawyers who have been working as external data protection officers and/or data protection advisors for numerous companies for many years. If there is a need for advice in your company, we will be happy to assist you.
For queries, please contact:
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law (IT law)
E-mail: info@goldberg.de
