Data protection is now also a major political issue. It is therefore not surprising that the EU is reacting with increasing regulations. But what does the new GDPR mean for companies and their customers?
May makes everything new
To date, data protection in Germany has been governed primarily by the Federal Data Protection Act (BDSG) regulated. With the new General Data Protection Regulation (GDPR) of the EU, however, these are changing. This new version comes into force on 25 May 2018 and thus for all German companies and their customers.
All-clear At this point for all those who have now taken the BDSG to heart and implemented the regulation internally. The changeover will hardly be a problem for you. For others, however, it could now become unpleasant. This is mainly due to the sanctions.
Until now, an infringement was penalised with a maximum of 300,000 euros. For some companies, this is actually easier to finance than the changeover in IT. Now, however, a fine can cost up to four per cent of global group turnover OR up to 20 million euros. That's no longer peanuts, even for the big players.
Further innovations in the GDPR
But what other changes does the GDPR bring? Here is an overview of previous and amended requirements under the new law:
-
-
Proven consent
Data subjects must give their consent if their data (personal) are stored by the company. This in turn must specify the purpose of the processing and may not deviate from this later.
-
Data minimisation
Companies may only store personal data to the extent necessary for the purpose. The amount of data must be limited to what is necessary for processing.
-
Memory limitation
The data that enables the identification of a person may only be stored to the extent required for the intended purpose.
-
Transferability
The customer should be able to demand that the company passes on all data relating to them to third parties. This change relates to switching providers, for example.
-
Confidentiality
The security of personal data must be guaranteed by companies. Even during processing. Loss, destruction or unauthorised access must not occur.
-
Correction
If personal data is factually incorrect or out of date, it must be corrected or deleted immediately.
-
Right to cancellation
Anyone whose personal data is stored can demand that companies delete it - even if they have previously consented to it being stored. No data traces may remain in the system, such as backups or links. Deleting a data record is therefore usually not enough.
-
Stricter ban on tying
With the introduction of the GDPR, additional services may no longer be linked to the consent of data processing.
More responsibility for data protection officers
The innovation will also trigger a number of procedural changes:
Every company that permanently employs more than ten people with data processing-related tasks must appoint a data protection officer. This person is responsible for compliance with the GDPR. He is now liable personally! He is also responsible for developing and communicating data protection strategies and training employees.
In addition, a company's data protection officer must assess the risks of data storage for the personal rights of the data subjects and comment on them. This is particularly important if the data "assesses" individuals, such as religion, origin, political views, health data or creditworthiness. This "data protection impact assessment" was still called "prior checking" in the BDSG.
The company must also document how it collects and processes the personal data. This information must in turn be made available to the data subject "in an easily accessible manner and in plain language", as must information on risks, regulations, rights and guarantees. The law recommends certifications that Consumer about the standard.
Protection begins with software development
Companies are not only obliged to introduce at least the prescribed standard, but also to monitor compliance. Monitoring and documentation are intended to ensure this. To this end, the company must prove that it fulfils the technical and organisational measures for data protection. Unlike before, the burden of proof now lies with the company and no longer with the customer. Every IT system must therefore be designed in such a way that compliance with the GDPR is guaranteed. In other words: In principle, data protection must already be taken into account in the software! For example, providers must already sell software with data-protected default settings, such as storage periods and access control.
Complaint - and then?
Any complaints can be submitted to the data protection authority of the respective EU country. It does not matter in which country the offence occurred. This also applies to companies. All data protection breaches must also be reported to the competent authority within 72 hours of becoming known. In the case of serious incidents (usually relating to personal rights), all affected parties must be informed. Non-material damage, such as damage to reputation, has also been taken into account.
In some cases, the authority can also issue a ban on data processing. One case would be, for example, a major security breach in a company's data protection network.
-
AI in the company: 4 myths about the GDPR
SAP Business One "DSGVO Version" 9.3 Patch4
GDPR practical & entertaining
GDPR and ERP: risks and challenges
Financial accounting 2025 - information & changes
Permissions in SAP Business One
EVENT: Recruiting & the battle for the brightest minds
6 reasons why updates improve an ERP system
Sales & marketing for SMEs
Update 5.6 : New version of MariProject
The EU's new General Data Protection Regulation: Costly breaches for companies