Companies everywhere are talking about the EU's general data protection regulation (GDPR). That's because the due date is 25.05.2018! This blog post is meant to provide tools for departments and IT divisions so that they are ready for the start on 25.05.2018.
What is the EU's GDPR?
According to article 1 of the GDPR,
- it lays down rules pertaining to the protection of natural persons with regard to the processing of personal data, and the free movement of such data.
- it protects the fundamental rights and freedoms of natural persons and, in particular, their right to protection of personal data.
- the free movement of personal data in the union shall neither be restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
The EU's GDPR does not replace the German federal data protection act (BDSG), but rather builds on it. Serving as a cornerstone in the creation of the European regulation, the BDSG was intensified in terms of certain points. These requirements now need to be met.
What does the introduction of the EU's GDPR mean for my company?
The introduction of the EU's GDPR naturally has implications for companies which work with personal data. The same rules and rights apply to all companies here. For example, it is necessary to introduce measures to protect the personal data of natural persons during processing, besides preserving their basic rights and freedoms. This means that data in all systems and processes, for example in a DWH, must now be treated in compliance with data privacy requirements. Personal data can arise, for example, during
- storage and processing of employee details.
- provision of customer and supplier details.
- use of services.
- registration of guests and visitors.
- submission of contact and address data.
If this is the case, you should definitely pay attention to the new general regulations!
The EU's GDPR is also mandatory for companies which do not have their headquarters in the EU, but offer services there. Even if the offered services are free of charge, the regulation must be observed. Penalties in the form of fines will be enforced on failures to observe the regulation from 25.05.2018 onward. The law then provides for an imposition of fines of € 10 - 20 m, or 2% - 4% of a company's worldwide turnover.
Which rules does the EU's GDPR change for my company?
The new data protection regulation contains requirements which companies must meet for their customers. For example, customer have the right to:
- notification about their personal data.
- deletion or correction of individual details.
- transfer of data on a change of provider.
- deletion of the entire pool of acquired personal data.
If the rights of those concerned are not fulfilled, the afore-mentioned fines loom.
Furthermore, companies must meticulously document data processing from now on. To be maintained for this is a processing list which records the purpose of the data processing. To be described in addition are the processing method, the origin (acquisition) of data and, if applicable, the relay of data. As concerns processing, please note at all times that the concerned individual has a right to revocation, and that individual details might go missing. Who may actually obtain which data, and has the legal compliance of access been ensured in all cases?
How can I implement the new regulations at my company?
At this time, the GDPR is still in its infancy at many companies . But time is running out and there will be no leeway after the deadline, because the transitional period will already have expired. The first steps should include at least the following:
- Introduction of an enterprise-wide project for identifying the processing of personal data.
- Documentation of processing and assignment to legal processing purposes.
- Existing and new processing methods should be legally assessed and approved.
- Introduction or revision of the permission concept (who may see what?).
- Point-of-contact (POC) extensions to fulfil customer requirements.
- Revision of existing systems and processes with regard to technical measures on the basis of privacy by design.
A tip from me: Form an enterprise-wide core team specializing in transformation. It should consist of
- IT / technical experts for an understanding of the data-processing systems and their interfaces.
- a business administrator to put data and processes into an economic context.
- a lawyer to deal with the legal requirements of the EU's GDPR.
Every enterprise which uses personal data, no matter in what form, must have adapted to the new guidelines until 25.05.2018 at the latest. For this, it is necessary to consider all enterprise requirements, for example, introduction of a processing list so that authorities can check data processing at any time. It is best to tackle the issue today, before it catches up with you!