General Data Protection Regulation applies from 25 May 2018

Then it will be “privacy by design” instead of “learning by doing”

The EU General Data Protection Regulation (GDPR) enters into force on 25 May 2018.

Therefore, there are only about four months to prepare for this substantial change to data protection law.

To date, many people have proceeded according to the motto “learning by doing” in connection with data protection. Data protection was not really an issue if nobody complained. This situation will fundamentally change with the enactment of the GDPR, because the companies responsible have to demonstrate their own proactive initiative and their own responsibility. The GDPR promotes more strongly the implementation of strategies for the prevention of data leaks, as well as the precise documentation of data processing, data protection measures and also data protection breaches. Records are to be kept regarding compliance with data protection-law stipulations. What will be necessary is nothing less than every company having a data protection concept (“privacy by design”) which is oriented on the specific risks involved.

Why do data protection and the implementation of the GDPR have such high priority?

With the strengthening of the principle of one’s own responsibility, the monetary-fine framework for data protection breaches will be substantially expanded by the GDPR. Infringers now face fines of up to EUR 20 million or up to 4% of the total annual turnover earned worldwide for the previous business year, whichever amount is higher. Because the GDPR prescribes numerous documentation and record obligations for data processers, in future it will probably be much easier for supervisory authorities to identify data protection breaches.

Implementation basis: analysis of actual situation

The basis for the implementation of the GDPR is always a careful analysis of the current data protection concept in practice and the individual data processing processes. Insofar as this has not already been done, this analysis of the actual situation should be carried out as quickly as possible. It is only by building thereon that a solid target analysis can be carried out in order to determine the individual implementation steps.

First implementation steps

An important – and particularly due to the time involved, not to be underestimated – task is drawing up a record of data processing activities pursuant to Article 30 of the GDPR. Documentation is to be created for every type of processing activity, naming inter alia

  • the name and contact details of the person responsible;
  • the reason for the processing;
  • categories of people affected;
  • categories of personal data processed; and
  • categories of recipients of personal data.

If possible, the deletion periods and the pertinent security concept are also to be documented.

When drawing up the processing list, template forms can be used which can then be compiled into one set of records, and always updated.

Moreover, a comprehensive data protection concept is to be drawn up/updated. This requires inter alia that

  • the legal bases for the individual data processing be checked,
  • consents to data processing be updated,
  • data protection measures be implemented in accordance with the respectively latest state-of-the-art technology in order to guarantee an appropriate level of protection,
  • obligations associated with data protection breach be ensured,
  • contracts concerning order data processing be updated,
  • where applicable, a data protection officer be named and his or her contact details be published and the supervisory authorities notified,
  • where applicable, existing employer/works council agreements be updated, and
  • where applicable, to have the data protection concept certified.

Way forward

For some further points, for example regarding data protection impact assessment, it has not emerged yet what specific tasks will be allocated to companies. These will probably only become clear in practice and from the anticipated case law after 25 May 2018.

However, it would be fallacious to conclude therefrom that companies can still take it easy at the moment. For most companies, even just drawing up a data processing list and a data protection concept is arguably more than enough to do.

The information on this page may have been provided by a contributor to ChinaGoAbroad, and ChinaGoAbroad makes no guarantees about the accuracy of any content. All content shall be used for informational purposes only. Contributors must obtain all necessary licenses and/or ownership rights from the relevant content owner(s) before submitting such content (including texts, pictures, photos and diagrams) to ChinaGoAbroad for publication. ChinaGoAbroad disclaims all liability arising from the publication of any content/information (such as texts, pictures, photos and diagrams that infringe on any copyright) received from contributors. Links may direct to third party sites out of the control of ChinaGoAbroad, and such links shall not be considered an endorsement by ChinaGoAbroad of any information contained on such third party sites. Please refer to our Disclaimer for more details.