Then it will be “privacy by design” instead of “learning by doing”
The EU General Data Protection Regulation (GDPR) enters into force on 25 May 2018.
Therefore, there are only about four months to prepare for this substantial change to data protection law.
To date, many people have proceeded according to the motto “learning by doing” in connection with data protection. Data protection was not really an issue if nobody complained. This situation will fundamentally change with the enactment of the GDPR, because the companies responsible have to demonstrate their own proactive initiative and their own responsibility. The GDPR promotes more strongly the implementation of strategies for the prevention of data leaks, as well as the precise documentation of data processing, data protection measures and also data protection breaches. Records are to be kept regarding compliance with data protection-law stipulations. What will be necessary is nothing less than every company having a data protection concept (“privacy by design”) which is oriented on the specific risks involved.
Why do data protection and the implementation of the GDPR have such high priority?
With the strengthening of the principle of one’s own responsibility, the monetary-fine framework for data protection breaches will be substantially expanded by the GDPR. Infringers now face fines of up to EUR 20 million or up to 4% of the total annual turnover earned worldwide for the previous business year, whichever amount is higher. Because the GDPR prescribes numerous documentation and record obligations for data processers, in future it will probably be much easier for supervisory authorities to identify data protection breaches.
Implementation basis: analysis of actual situation
The basis for the implementation of the GDPR is always a careful analysis of the current data protection concept in practice and the individual data processing processes. Insofar as this has not already been done, this analysis of the actual situation should be carried out as quickly as possible. It is only by building thereon that a solid target analysis can be carried out in order to determine the individual implementation steps.
First implementation steps
An important – and particularly due to the time involved, not to be underestimated – task is drawing up a record of data processing activities pursuant to Article 30 of the GDPR. Documentation is to be created for every type of processing activity, naming inter alia
If possible, the deletion periods and the pertinent security concept are also to be documented.
When drawing up the processing list, template forms can be used which can then be compiled into one set of records, and always updated.
Moreover, a comprehensive data protection concept is to be drawn up/updated. This requires inter alia that
For some further points, for example regarding data protection impact assessment, it has not emerged yet what specific tasks will be allocated to companies. These will probably only become clear in practice and from the anticipated case law after 25 May 2018.
However, it would be fallacious to conclude therefrom that companies can still take it easy at the moment. For most companies, even just drawing up a data processing list and a data protection concept is arguably more than enough to do.