The General Data Protection Regulation (GDPR) comes into force on May 25, 2018. It has direct implications for every company, regardless of its number of employees.
Primarily due to the significantly increasing risks of fines and reputational damage, as well as potential future claims for damages from affected individuals, a data protection risk analysis covering the entire company and its individual business units is required.
1. Compliance with data protection regulations from now on a "matter for the boss
Under the GDPR, the company management (e.g., board of directors, association board, managing directors, owners) now bears overall responsibility for data protection and, consequently, for the implementation of the GDPR.
Organizational responsibility particularly involves the implementation of the GDPR through instructions and policies (to prevent organizational negligence).
Company management must ensure the proper monitoring of data protection-relevant business processes by implementing adequate control mechanisms and systems (to prevent monitoring failures). It must also provide the necessary financial, material, and human resources for GDPR implementation and for the ongoing data protection organization required after the GDPR implementation phase. Management must initiate the introduction of a data protection management system and ensure its continuous maintenance and updating by sufficiently qualified personnel.
Management must also ensure the appointment of a Data Protection Officer (DPO) if legally mandated. However, even if there is no legal obligation to appoint a DPO within the company, management must ensure sufficient data protection expertise or adequate data protection know-how within the organization. If this expertise is not available internally, it must be procured externally. At a minimum, the installation of a sufficiently qualified “Data Protection Coordinator” is mandatory in every company.
Company management has the responsibility and duty to mitigate data protection risks within the company by establishing process, product, and technology design, as well as implementing deletion concepts, etc.
Management must ensure compliance with the transparency and information obligations under the GDPR, as well as the safeguarding of data subject rights under the GDPR. Therefore, processes for data protection information, access requests, deletions, rectifications, data portability, objections, data breaches, and the right to be forgotten must be established and documented.
2. Data Protection Inventory
To implement the aforementioned points, every company must first conduct a data protection inventory of existing data protection-relevant processes within the company (determining the “current state”).
Among others, the following assessments are required:
- Review of existing processing operations for personal data (e.g., records of processing activities, prior consultations, data protection concepts, notification procedures)
- Review of works council agreements that contain provisions on employee data protection
- Verification of whether the processing and use of personal data is carried out with the necessary authorization. Review of the legal bases and/or consents on which data processing is based.
- Review of existing data protection documentation (e.g., policies, manuals, training materials)
- Review of previously used texts for consents, data processing agreements, templates for access requests, etc.
- Review of all privacy policies on websites and in online shops
3. Determination of Specific Action Required
Following the inventory and the determination of the data protection “current state” within the company, the specific actions required and the desired “target state” must be defined. In particular, the increased accountability and the risk-based approach of the GDPR must be considered. Therefore, in this phase, it is necessary to examine which areas of the company require changes in light of the new legal regulations.
4. Implementation of the necessary measures
Once the necessary measures for GDPR implementation have been identified, the required adjustments must be made.
These include, in particular:
- Installation of a data protection management system that complies with GDPR requirements
- Adjustment of all data protection-related processes and structures within the company
- As a fundamental point, existing records of processing activities must be revised and adapted to the new legal regulations. While exceptions exist for smaller companies, meaning they may not need to create a record of processing activities under certain circumstances, the GDPR now obliges companies, as previously mentioned, to implement a data protection management system. In the future, companies must not only ensure compliance with data protection requirements but also demonstrate and document it. To fulfill this requirement, a company must therefore first identify, list, and document all data processing activities. For this reason, in our assessment, every company must maintain a record of data processing activities, as otherwise, it cannot be proven what data is processed within the company and how. We therefore hold the view that every company, regardless of whether it is legally obliged to do so or not, must create a record of processing activities in accordance with the GDPR.
- Creation of a data security concept. For data security, too, every company must demonstrate under the GDPR that 'appropriate technical and organizational measures' are implemented to protect data subjects and their data.
- Creation of new privacy policies on websites and in online shops
- Definition of the legal bases and purposes of data processing in accordance with the GDPR
- Adaptation of existing consent declarations and justification of processing operations to the GDPR
- Definition of measures and development of sample documents to ensure and document compliance with data protection information obligations and data subject rights
- Development and documentation of a response plan for data breaches
- Establishment of a permanent training system, i.e., employee training, and commitment of employees to data secrecy
5. Conclusion
In summary, it must be stated that with regard to the GDPR, which became directly applicable on May 25, 2018, every company must take action.
Every company must implement a data protection management system within the company in light of the GDPR. Data protection law under the GDPR is designed as a data protection compliance regulation. This means that continuous consultation and adaptation of data protection documentation within the company will be necessary. Therefore, the topic of data protection within companies, which has been neglected until now, must receive more attention in the future.
This applies particularly in view of the significantly increased threat of fines. The current fines of up to a maximum of €300,000.00 have been increased to up to €20 million or 4% of the previous year's global group turnover. Furthermore, under certain conditions, there is personal liability for company owners, managing directors, and/or board members.
Therefore, every company must now act as quickly as possible, prepare for the GDPR, and, if necessary, seek advice from sufficiently qualified personnel.
Our firm has several lawyers and specialized lawyers who have been working for many years as external data protection officers and/or data protection consultants for numerous companies. Therefore, if your company requires consultation, we are at your disposal.
For inquiries, please contact:
Attorney Michael Ullrich, LL.M. (Information Law)
Specialist Lawyer for Information Technology Law (IT Law)
Email: info@goldberg.de
