Data protection is now also a major political issue. It is therefore not surprising that the EU is reacting with increasing regulations. But what does the new GDPR mean for companies and their customers?
May makes everything new
To date, data protection in Germany has been governed primarily by the Federal Data Protection Act (BDSG) regulated. With the new General Data Protection Regulation (GDPR) of the EU, however, these are changing. This new version enters into force on 25 May 2018 in force - and thus for all German companies and their customers.
All-clear This is for all those who have now taken the BDSG to heart and have implemented the regulation internally. For you, the changeover will hardly be problematic. For the others, however, it could now become unpleasant. This is mainly due to the sanctions.
Until now, a violation was punished with a maximum of 300,000 euros. For some companies, this is actually more convenient to finance than the change in IT. Now, however, a fine can cost up to four percent of the global group turnover OR up to 20 million euros. Even for the big players, this is no longer peanuts.
Further innovations in the GDPR
But what other innovations does the GDPR bring with it? Here is an overview of previous and amended requirements under the new law:
Data subjects must consent if their data (personal) be stored by the company. This, in turn, must indicate the purpose of the processing and must not deviate from it at a later stage.
Companies may only store personal data to the extent that it is appropriate for the purpose. The amount of data must be limited to what is necessary for processing.
The data enabling the identification of a person may only be stored to the extent required by the purpose of use.
The customer should be allowed to demand that the company discloses all data relating to him or her to third parties. This change refers to e.g. changes of provider.
The security of personal data must be guaranteed by companies. Also during processing. Loss, destruction or unauthorised access must not take place.
If personal data is not factually correct or up-to-date, it must be corrected or deleted immediately.
Right to erasure
Anyone whose personal data is stored can demand that companies delete it - even if they have previously consented to its storage. No traces of data may remain in the system, such as backups or links. Deleting a data record is therefore usually not enough.
Tighter tying ban
With the introduction of the GDPR, additional services may no longer be linked to consent for data processing.
More responsibility for data protection officers
Furthermore, the innovation will trigger some changes in the procedural area:
Every company that permanently employs more than ten persons with data processing-relevant tasks must appoint a data protection officer. The data protection officer is responsible for compliance with the GDPR. In doing so, he is now liable personal! He is also responsible for developing data protection strategies, communicating and training staff.
In addition, the data protection officer of a company must assess the risks of data storage for the personal rights of the data subjects and comment on them. This is particularly important if the data "assess" individuals, such as religion, origin, political views, health data or creditworthiness. This "data protection impact assessment" was still called "prior checking" in the BDSG.
Furthermore, the company must document how they collect and process the personal data. This information, in turn, must be available to the data subject "in an easily accessible manner and in plain language", as well as information about risks, regulations, rights and guarantees. The law recommends certifications that Consumer inform about the standard.
Protection begins with software development
Companies are not only obliged to introduce at least the prescribed standard, but also to monitor compliance. Control and documentation are to ensure this. To do this, the company must prove that it has met the Technical and organisational measures for data protection has been introduced. Unlike before, the burden of proof for this now lies with the company and no longer with the customers. Every IT system must therefore be designed in such a way that compliance with the DSVGO is guaranteed. Meaning: In principle, data protection must already be taken into account in the software! For example, providers must already sell software with data-protected default settings, such as storage periods and access control.
Complaint - and then?
Any complaints can be filed with the data protection authority of the respective EU state. It does not matter in which country the violations occurred. This also applies to companies. All data protection breaches must also be reported to the competent authority within 72 hours of becoming known. In the case of serious incidents (mostly concerning personal rights), all those affected must be informed. Intangible damages, such as damage to reputation, have also been taken into account.
Further, in some cases, the authority can issue a ban on data processing. One case, for example, would be a major security breach in a company's data protection network.