On May 25, 2018, the General Data Protection Regulation (GD-PR) enters into force. From this point on, all companies which do not comply with the requirements of the GD – PR are at risk of increased liability and serious sanctions, in particular, high fines.
Together with our IT lawyer, we give you a summary of the most relevant new requirements, the risks involved and the measures required to ensure compliance with data protection.
GD-PR Measures Catalog
1. Why is there a need for action?
By May 25, 2018, all provisions of the GD-PR are “armed”. There is no transitional period after this date for an adjustment of the operational processes.
So far, the data protection law was a minor matter for many companies. Infringements of data protection law threatened rather mild sanctions. So far, the fine is between 50,000 euro to 300,000 euro. In practice, fines were rarely higher than five – digit. For comparison, the new maximum amounts for fines: Depending on the infringement up to 10,000,000 euro or 20,000,000 euro or even 2% to 4% of worldwide sales. Inaction can be a threat to the existence of the risk.
2. Is our company affected?
Yes! The requirements affect every company that works with personal data. Persona data may be data from customers, business partners or employees. At the same time, the concept of personal data is so broad that it includes data that would traditionally be considered purely technical data, e.g. Log files or IP addresses. There is virtually no company that is not affected.
3. What needs to be done and how can a lawyer specialising in privacy law help you with this?
Each company should first get an initial overview of the new requirements, identify action needs and prioritize actions to be implemented.
Specialized law firms also offer in-house workshops tailored to your company and your industry for this “entry – level” approach.
The implementation of the requirements is a real “project” in which all relevant stakeholders in the company should be involved: management, departments, IT, data protection officer, compliance officer and works council. Achieving a 100% compliance is not a realistic goal for many companies. One should, therefore, proceed pragmatically. The aim should be to initiate or implement, by 25 May 2018, any measures necessary to significantly reduce the risk of penalties. It should, therefore, be apparent that a data protection management system has been introduced.
4. Which single topics are important?
In the following, we address topics that are relevant to most companies. If no compliance is established in this respect, the fines and liability risks threatened.
a) Sanction and liability risks
First, the risks of non – compliance with data protection requirements. These do not meet as before – only “the responsible body” but more recently also processor and thus many service providers in the IT area. In addition to the drastic fines, stricter civil liability for damages, which is also extended to liability for “intangible” damages (“compensation for pain and suffering”), is particularly relevant for business models in the B2C sector.
A particular risk is that supervisors may also prohibit certain procedures in the event of data breaches. This can lead to certain products having to be take off the market or certain business models having to be discontinued.
b) Document and Accountability
The obligation to document data protection – relevant processes are being massively expanded. There are already considerable deficits in many companies because it is e.g. in many cases there is no internal procedure directory. The GD – PR stipulates in numerous provisions a duty of documentation and corresponding accountability. This concerns, for example, the documentation of technical and organizational measures (TOMs) or the list of processing activities.
In addition, the companies are required to optimize the documentation for reasons of self-protection, as the GD-PR partially provides for a reversal of the burden of proof. This means that the company has to be free in matters of data protection, which is usually only possible by submitting the relevant documentation.
c) Data protection impact assessment
If data processing, in particular when new technologies are used, is likely to entail a high level of data protection – related risk for data subjects, the company must carry out an impact assessment to be documented and, if necessary, arrange it with the supervisory authority.
A detailed Checklist you can find below the infographic…
+ Forms & Consent
Processing of personal data is only permissible if the person concerned has explicitly and demonstrably consented to this. This means that the double-opt-in procedure, which is already used in many companies anyway, is now also legally fixed. These requirements for consent are thus comparable to the written form requirement or the requirement of any other appropriate form.
+ Data Protection Officer & Legal Adviser
Order a data protection officer and report it to the responsible supervisory authority. Also, define corporate responsibilities. If in doubt, additionally consult a specialist lawyer for data protection law.
+ Adapt Corporate Processes
Inform yourself about reporting obligations in case of data breaches, data subject rights and information obligations. Also with regard to the technical implementation of the data subject right (information, data portability) you should seek advice.
+ Document Internal Processes
Get an overview of the comprehensive documentation and proofing obligations. Develop effective and sustainable documentation processes on this basis.
+ Directory of Procedures
So far, there was a distinction in public and internal procedural directory. This distinction does not apply to the new GD PR and the list only has to be made available to the supervisory authorities upon request. However, the requirements for the list of procedures have become much more extensive and should be taken into account.
+ Employee Training
Your employees must directly implement the GDPR as of the reporting date and should, therefore, be well informed in advance about requirements, obligations to cooperate and new internal processes. Make a training plan.
+ Order Processing
Your Contract Data Processing (ADV) contracts and their list of processing activities should be updated as soon as possible.
+ Technical and Organizational Measures (TOM)
Review and evaluate the effectiveness of your TOMs. Plan effective information security management.
Not really sure what you have to do next?
Good News: On our next Evolve MeetUp on 04.04.2018 in COIN co-working Zadar we have invited for you a special guest: We are very glad to announce a lawyer from the European ITechLaw Network as Speaker holding a presentation about the GD-PR and what we all exactly have to prepare for.