Implementing data protection in companies in compliance with the GDPR

What data protection laws are there?

The most important law for the protection of data is the EU General Data Protection Regulation (EU GDPR). It became effective in the EU and its member states in 2018. It applies directly to every citizen of the EU. The GDPR implements the protection of personal data anchored in the EU Charter of Fundamental Rights. According to Art. 8 every person has the right to the protection of his or her personal data. His or her data may only be processed in good faith for specified purposes and with consent or on a lawful basis. Every person has the right to receive information about the data collected that concern them. This also includes the right to obtain correction of the data up to and including deletion. An independent authority monitors compliance with these regulations. In Germany, these are the data protection authorities of the Länder. The GDPR is completed by the Federal Data Protection Act (BDSG) and the data protection laws of the 16 federal states.

What data is particularly worth protecting?

All information that human beings (legal: natural persons) can be identified with is protected by the GDPR. Beside the first name and surname this also includes data that can be directly or indirectly assigned to a person. This creates a long list of personal data that goes far beyond the residential address or the number on an identity card. Because data containing information about a person’s health, the genetic, psychological as well as physical, economic as well as social and cultural identity are also protected as personal data under the GDPR: biometric data such as fingerprints and iris scans, driving licences, vehicle registration, health card numbers, certificates, customer numbers, account data, employee personnel numbers and many other data. Hence, the expression “personal data” is very broadly interpreted and even extending to membership of a library. This means that this data can only be processed by someone who has received the person’s explicit written approval to process this data which may be revoked at any time.

How do I make my company compliant with data protection?

The idea of data protection is based on the principle of people’s “informational self-determination”. The owner of the data decides who may gather, collect, store and process data about him. This results in extensive obligations for companies in the design of data protection and data security. Six principles must be considered by companies:

1. Prohibition with reservation of permission: Collecting data is prohibited. Unless the data owner gives his or her written approval for it.
2. Purpose limitation: The data may only be used for the purpose that they were gathered for.
3. Transparency: The processing must be plausible, traceable and appropriate for the data owner.
4. Data minimisation: Only data that is absolutely necessary for purpose limitations may be collected.
5. Correctness: The data must be gathered correctly.
6. Data security: The data has to be protected against access by unauthorised persons according to the respective available technical status.

As a data collecting company you should appoint a Data Protection Officer and set up a Data Protection Management System in order to fulfil these obligations.

Data protection in the workplace: what must be observed?

Once you set up a computer workplace at which you or employees work with data from customers, colleagues or suppliers your company processes data within the meaning of the GDPR. To do this, you must take extensive technical and organisational measures to minimise the risks of data protection breaches. These include for example:

1. Data economy
2. Pseudonymisation
3. Encryption
4. Ensuring the confidentiality and integrity of the data during processing
5. Recoverability of the data after a technical malfunction

Experts call it „Privacy by Design“. What is meant is that the entire data processing system in a workplace needs to be technically designed in a way that complies with the legal requirements. This includes the use of currently available hardware and software so that a breach of data protection can be prevented. Another principle is called „Privacy by Default“. The processing systems shall be pre-set in a way that no data protection breaches can occur during its operation. Data economy means a minimisation of the data to the bare minimum for the particular purpose. In addition, only a few people with access rights should work with the systems and they should authenticate themselves before each session. Seeing that companies have to consider many aspects, implement them and monitor its compliance when it comes to data protection they should establish a Data Protection Management System.

Here you can read more about a Data Protection Management System and how you can organise it in compliance with the GDPR.

Data protection for customer data: what needs to be considered?

In addition to these rules for processing you must consider some principles when collecting data. Before the data collection you must inform the data owner which data will be stored and for what purpose, how it’s done and when it ends. Data owners must agree to the data processing. This is ideally done in writing. In online procedures the user has to actively agree to each use of their data. This can be sone separately by clicking a checkbox. According to the GDPR, companies with 250 employees or more have to appoint a Data Protection Officer. Furthermore, companies with over nine employees must appoint a Data Protection Officer when they work regularly with automated data collection, processing or use. Alternatively they can assign this task as a service to an external Data Protection Officer.

Here you can read more about the tasks of a Data Protection Officer and how Memex Consulting can support you.

What is a Data Protection Impact Assessment (DPIA)?

The data protection impact assessment is according to §35 GDPR a process in which companies determine the risks of a data protection breach with their Data Protection Management System. Companies that are likely to pose a high risk to the rights and freedom of natural persons due to the nature, scope, context and purposes of the processing must undergo this assessment. The DPIA is a prior check that must be carried out on the basis of a checklist from the data protection authority in charge. It must be submitted to the authority which is in turn entitled to carry out the check.

Is there a certification in data protection?

There are two procedures that allow companies to certify their data protection: the certification in accordance with the GDPR as well as one in accordance with ISO EN DIN 27001. Both certifications can only be issued either externally or by test organisations accredited by the regulatory authorities. They check on the basis of submitted documents as well as on site at a company whether the rules of the GDPR or the ISO standard are complied with.

Data protection: what are the efforts and costs?

Ideally, data protection is integrated in the business model of a company. After the introduction of the GDPR it is strongly recommended to strengthen the data protection with a compliant Data Protection Management System. The effort this takes depends on the size of the company as well as the risks arises during data processing.

You would like to know how you can set up a GDPR-compliant Data Protection Management System in your company? As a TÜV-certified external Data Protection Officer, Memex Consulting GmbH from Munich takes care of the legally compliant data protection in your company!