The European Union’s new General Data Protection Regulation (GDPR) came into force on May 25, 2018. But this does not mean that all companies have already implemented the necessary adjustments. It is high time to take a closer look. Here’s a checklist! It’s been known for two years that the EU’s new data protection rules would be taking effect this May. Nevertheless, a survey by the industry association Bitkom one week before May 25, 2018 delivered surprising results: only about a quarter of German companies said they were fully prepared for the new regulations. In theory, they are now risking fines of up to 20 million euros or 4% of annual revenues for each violation of the new regulations, plus the administrative costs for preliminary warnings. That’s why it’s time to act quickly. For larger companies, it makes sense to set up a working group with representatives from all directly affected areas, i.e. data protection, IT, HR, security and risk management, and legal department, but sales and customer service are also affected. The following checklist can provide this working group or smaller companies as a whole an initial guide for further action:
- Data Protection Officer: yes or no A data protection officer is required as soon as any personal data is processed automatically. As a rule, this is the case if customer or employee data is stored on a computer. Companies which have less than ten people processing personal data are exempt from the obligation. Caution: this includes anyone who ever accesses the data, even just once. Companies with particularly sensitive data such as biometric, health, or similar data cannot avoid having a data protection officer under any circumstances. DPOs need to have demonstrated qualifications obtained through appropriate training.
- Updating documents All general terms and conditions, privacy policies, data protection guidelines, and standard contracts need to be checked for GDPR compliance and adjusted accordingly. Many associations are providing appropriate information and samples as well as additional advice.
- Setting up records of data processing activity Art. 30 GDPR calls for records of data processing activities, which must show how, where, and for what purpose data is collected and stored. A simple spreadsheet listing IT systems handling your data is sufficient, but behind this a lot of hard work occurs that first needs to be done. The following information about each IT system should be included: – Corporate process owners – Purpose of the collection – Whose data is being collected? – What information is being stored? – Deadlines for deletion – How can you ensure the consent of the data subject?
- Record processes in writing What happens to the data once collected, who has access to it, who is responsible for processing deletion requests, and what happens in the event of a data leak? All these things should be laid down in a manual in order to give all employees clear guidelines for the handling of data. In addition to describing the data’s path from collection to storage, the use and eventual deletion, the process descriptions should also define responsibilities. Who will inform customers and employees? Who will make sure that notice of data leaks are made within the prescribed 72-hour period?
- Privacy impact assessment For particularly sensitive data, GDPR requires a privacy impact assessment. It must state very clearly why the information is necessary and how it is being protected. Data protection authorities will eventually publish a list of all transactions affected by this special regulation, but it does not exist yet.
- Documentation Especially important: all efforts to comply with GDPR must be verifiable. Training of management and data protection officers, agreements and contracts with service providers, and IT security measures such as the installation of new firewalls or similar adjustments all need to be documented in detail. This way, in any case of doubt, the company will be able to prove that they made every effort to comply with the new legislation.