The EU's new General Data Protection Regulation: Costly breaches for businesses.
30 Nov

The new EU General Data Protection Regulation: Expensive violations for companies

Data protection is now also a major political issue. It is therefore not surprising that the EU is reacting with increasing regulations. But what does the new GDPR mean for companies and their customers?

May makes everything new

To date, data protection in Germany has been governed primarily by the Federal Data Protection Act (BDSG) regulated. With the new General Data Protection Regulation (GDPR) of the EU, however, these are changing. This new version enters into force on 25 May 2018 in force - and thus for all German companies and their customers.

All-clear This is for all those who have now taken the BDSG to heart and have implemented the regulation internally. For you, the changeover will hardly be problematic. For the others, however, it could now become unpleasant. This is mainly due to the sanctions.

Until now, a violation was punished with a maximum of 300,000 euros. For some companies, this is actually more convenient to finance than the change in IT. Now, however, a fine can cost up to four percent of the global group turnover OR up to 20 million euros. Even for the big players, this is no longer peanuts.

Further innovations in the GDPR

But what other innovations does the GDPR bring with it? Here is an overview of previous and amended requirements under the new law:

    • Proven consent

      Data subjects must consent if their data (personal) be stored by the company. This, in turn, must indicate the purpose of the processing and must not deviate from it at a later stage.

    • Data minimisation

      Companies may only store personal data to the extent that it is appropriate for the purpose. The amount of data must be limited to what is necessary for processing.

    • Memory limitation

      The data enabling the identification of a person may only be stored to the extent required by the purpose of use.

    • Transferability

      The customer should be allowed to demand that the company discloses all data relating to him or her to third parties. This change refers to e.g. changes of provider.

    • Confidentiality

      The security of personal data must be guaranteed by companies. Also during processing. Loss, destruction or unauthorised access must not take place.

    • Correction

      If personal data is not factually correct or up-to-date, it must be corrected or deleted immediately.

    • Right to erasure

      Anyone whose personal data is stored can demand that companies delete it - even if they have previously consented to its storage. No traces of data may remain in the system, such as backups or links. Deleting a data record is therefore usually not enough.

    • Tighter tying ban

      With the introduction of the GDPR, additional services may no longer be linked to consent for data processing.

    More responsibility for data protection officers

    Furthermore, the innovation will trigger some changes in the procedural area:

    Every company that permanently employs more than ten persons with data processing-relevant tasks must appoint a data protection officer. The data protection officer is responsible for compliance with the GDPR. In doing so, he is now liable personal! He is also responsible for developing data protection strategies, communicating and training staff.

    In addition, the data protection officer of a company must assess the risks of data storage for the personal rights of the data subjects and comment on them. This is particularly important if the data "assess" individuals, such as religion, origin, political views, health data or creditworthiness. This "data protection impact assessment" was still called "prior checking" in the BDSG.

    Furthermore, the company must document how they collect and process the personal data. This information, in turn, must be available to the data subject "in an easily accessible manner and in plain language", as well as information about risks, regulations, rights and guarantees. The law recommends certifications that Consumer inform about the standard.

    Protection begins with software development

    Companies are not only obliged to introduce at least the prescribed standard, but also to monitor compliance. Control and documentation are to ensure this. To do this, the company must prove that it has met the Technical and organisational measures for data protection has been introduced. Unlike before, the burden of proof for this now lies with the company and no longer with the customers. Every IT system must therefore be designed in such a way that compliance with the DSVGO is guaranteed. Meaning: In principle, data protection must already be taken into account in the software! For example, providers must already sell software with data-protected default settings, such as storage periods and access control. 

    Complaint - and then?

    Any complaints can be filed with the data protection authority of the respective EU state. It does not matter in which country the violations occurred. This also applies to companies. All data protection breaches must also be reported to the competent authority within 72 hours of becoming known. In the case of serious incidents (mostly concerning personal rights), all those affected must be informed. Intangible damages, such as damage to reputation, have also been taken into account.

    Further, in some cases, the authority can issue a ban on data processing. One case, for example, would be a major security breach in a company's data protection network.

data protection

SAP Business One “GDPR Version” 9.3 Patch4

SAP has released SAP Business One 9.3 with patch level 04. This version specifically addresses the requirements around the ...
DSGVO practical & entertaining

DSGVO practical & entertaining

The new General Data Protection Regulation (GDPR) is currently driving many companies. The digital hype topic is being taken up by many who are in the ...

GDPR and ERP: risks and challenges

The uncertainty is great. With the new General Data Protection Regulation (GDPR), every company faces additional challenges. An overview of the content...
SAP Business One Authorizations

Permissions in SAP Business One

The definition and assignment of roles and authorizations is an important core of professional ERP systems such as SAP Business One. With ...
EVENT: Recruiting & the fight for the brightest minds

EVENT: Recruiting & the fight for the brightest minds

Good employees are the key to corporate success. But attracting top specialists is a real challenge today. In the ?war for talent? ...
6 reasons why updates improve an ERP system

6 reasons why updates improve an ERP system

Whether you're short on time, expecting an important email, or traumatized by Windows, the truth is...
Sales & Marketing for medium-sized companies

Sales & Marketing for medium-sized companies

After a successful event in April this year, the Augsburg IT competence network MehrWERTen again invites you to an exciting event. After this ...

Update 5.6 : New version of MariProject

A new version of MariProject has been released. As always, there are minor and major improvements to the software for commercial ...
data protection

The new EU General Data Protection Regulation: Expensive violations for companies

Data protection is now also a major political issue. It is therefore not surprising that the EU is reacting with increasing regulations ...
cloud control

ERP from the cloud: legal protection for cloud users

Despite all innovative efforts and developments in the cloud, the target user group often lacks the necessary information to opt for a ...

What is a data warehouse?

Again and again we announce how important uniform data management can be for a smooth workflow. Have you never been with...