Data Protection Management System: the concept is what counts
Data protection and a Data Protection Management System are a top management issue because it is responsible when it comes to a data protection breach. Therefore, you as a manager should initiate the establishment of a GDPR-compliant Data Protection Management System and monitor the development and the implementation personally.
Definition: What is a Data Protection Management System (DPMS)?
A Data Protection Management System is a company-wide integrated tool that helps organisations to realise the legal requirements for data protection. It consists of structural and procedural organisation as well as technical, personnel and monitoring measures for the handling of personal data.
Read more about the basics of data protection and a GDPR-compliant implementation here.
When does it make sense to introduce a Data Protection Management System?
All companies that process personal data must comply with the General Data Protection Regulation (GDPR). However, a Data Protection Management System (DPMS) is not anchored in the law. All data-processing organisations must rather ensure that they comply with the requirements of the Act. And since it is very broad and complex it makes sense to implement a Data Protection Management System. Moreover, companies with over 250 employees or such that have data processing as their business model have to appoint a Data Protection Officer. They can also appoint an external Data Protection Officer.
Read more about the appointment and tasks of a Data Protection Officer here.
Structure of a Data Protection Management System
A Data Protection Management System is based on a data protection concept. First, the companies need to analyse all procedures and processes for handling personal data. Then all departments have to define and implement new data protection processes and receive new data protection guidelines.
Data Protection Management System: planning & implementation
The planning and implementation of a Data Protection Management System always requires team work. The following data protection elements are to be considered:
- Redefinition of all processes according to the requirements of “Privacy by Design” and “Privacy by Default”
- Setting guidelines on where, how and for what purpose data is processed in the company
- New hardware and software to protect the IT systems against data loss
- Protection against natural hazards (fire, water, dust)
- Uninterruptible power supply and air conditioning
- Protection against access by unauthorised persons
- Roles and rights of data access for all user groups
- Measures for network security
- Regular software updates for all end devices in the network
- Real-time monitoring of the network traffic
- Data security
- Encryption and
- Pseudonymisation of personal data
- Rules for password changes by authorised users
- Organisation of the processes for the confidentiality, integrity and availability of the personal data and processing systems
- Measures to recover data after loss (backup)
- Data protection impact assessment
- Specifications for the regular review and update of the Data Protection Management System
Further elements in a Data Protection Management System are a concept for the implementation of the rights of the parties concerned as well as rules for the event of damage. This includes:
- Data protection policy
- Processes for separate approval of the users to different concepts of use
- Responsibility to inform about the gathered data, corrections, withdrawal of consent, deletion (right to forget)
- Rules for the information processes after a data protection breach
After implementing the Data Protection Management System, the Data Protection Officer should prepare documentation of all processes and rules. This is needed at the latest for the data protection impact assessment and for the audit by the competent data protection authority.
How high are the costs for the introduction of a Data Protection Management System?
The greatest effort is in the design, implementation and control of a Data Protection Management System. The costs vary depending on the size of a company, the number of sites and employees. Especially the type and scope of data processing have an influence on the effort required to protect against data protection breaches.
Do you want to set up a Data Protection Management System and need support? Arrange a free initial consultation with Memex Consulting GmbH here. Let’s talk about data protection for your company.