On 25 May 2018, a new basic data protection regulation (DSGVO / GDPR) will enter into force in the EU, which will apply to all companies worldwide, provided that they manage or store data of EU citizens. There are some rules to follow and it is advisable to implement them, otherwise high penalties are imminent.
On 25 May 2018, a new EU basic data protection regulation (EU GDPR) will enter into force in the EU. The General Data Protection Regulation (GDPR), was adopted by the EU as early as 2016 and is intended to provide a uniform guideline for the protection of private and personal data. This affects companies and public institutions that store or process personal data. There are no exceptions for companies of different sizes or industries. However, not only companies based in the European Union are affected, but also all other companies as long as they store and process the data of EU citizens.
More Articles on the GDPR for companies
What does the General Data Protection Regulation (GDPR) mean for companies outside the EU?
The EU-GDPR can also be seen as an opportunity for companies. Better data protection is also good news for customers, data exchange is made easier between locations and a uniform standard also creates trust.
10 Important points of the General Data Protection Regulation (GDPR)
- The processing principles for data such as transparency, purpose limitation and proportionality also apply
- A valid consent must be available and it must be possible to withdraw the consent at any time
- Data processing requires a justification or consent
- Data subjects must be informed directly or, if not possible, via a publication such as a website (EU-DSGVO defines minimum content)
- Data subjects have extensive rights to information, return, correction, completion or deletion of their data. It is also possible to object to certain processing (e.g. marketing)
- Technical and organizational measures must ensure that personal data is secured; data processing must be designed in such a way that compliance with the Data Protection Act is ensured (Privacy by Design) and it is assumed that the standard of all settings already protects the data (Privacy by Default)
- Data protection violations must be reported to the competent authorities within 72 hours and if there are serious consequences, these violations must also be reported to the persons concerned. An error log must also be kept here.
- For high-risk projects, a data protection impact assessment and notification to the responsible supervisory authority is required if there are nevertheless high risks of the measures taken
- Data transfers to other countries that do not have recognized legal data protection regulations are only permitted under certain conditions.
- Contracts with external data processors (e.g. IT outsourcing, external data analyses) must meet the requirements of the GDPR. An approval or veto right with advance information is required for the agents.
Furthermore, it is possible that so-called risk companies may have to appoint separate data protection officers. However, since many companies have a more or less high risk, it is generally advisable to do so. Especially in high-risk companies, but also in other companies, data protection must be documented and there are also documentation requirements.
Preparation for EU-GDPR as a company
With fines of up to 4% of annual sales and up to 20 million euros, companies should take a closer look at data protection. Even if you are not directly affected in the first moment, you should consider how to implement data protection guidelines in your company and how to put them into practice.
Some points to prepare for the General Data Protection Regulation (GDPR)
- Appointment of a data protection officer who prepares the analyses, obtains information and monitors the implementation of the GDPR
- Systematic analysis of existing systems, processes and software used to determine the risk and also to identify potential gaps. Here a gap and risk analysis is recommended
- Customize your own data protection policies, restrict access to sensitive data and use only on a “need-to-know” basis. (Only use data and allow access when really necessary)
- Testing of the requirements and whether the systems work as desired. What happens if someone withdraws their consent, wants to get the data, wants the data deleted, etc.? Here it is important to check if the processes work.
- One should check about the use of data governance systems and data encryption
Set up continuous monitoring incl. log files etc. and also check regularly for abnormalities
General information on EU-GDPR
If the various points are actively addressed, it should not mean a great deal of effort or pose a major risk for any company. The General Data Protection Regulation (GDPR) will be implemented from May 25. It is also advisable to talk to your suppliers of software, cloud etc. It is also advisable to contact their suppliers of software, cloud, etc. and to seek brief advice there if there are still questions.
In general, it is advisable to apply the “need-to-know” principle and to limit the use of data to only the most necessary. If larger questions remain or there is uncertainty, it is advisable to contact experts.
More Information can be found in the official documents of the European Union.