The EU General Data Protection Regulation at a Glance

The General Data Protection Regulation (GDPR) came into force on May 25, 2018 and has been mandatory in all EU member states since then. Companies that do not comply with it can expect high fines. In this blog post, we provide a brief overview of what the GDPR includes and what companies should be aware of.

The EU General Data Protection Regulation at a Glance

What Is the GDPR & What Is It About?

The GDPR is a general regulation of the European Union. The aim of the GDPR is to standardize the (legal) framework for the processing of personal data for both private companies and public bodies across the EU.

The aim is free data flow within the EU and transparent processing of personal data.

The GDPR replaces the previously applicable directive “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (95/46/EC), which still had to be implemented into national law by the respective EU member states.

In contrast to a directive, a general regulation applies equally and directly to all member states. What is particularly interesting is that the regulation also affects companies from third countries for the first time, provided that they address their offers to EU citizens and therefore also process data from EU citizens (“market place principle”).

This means that non-European companies in particular will have more work to do, as the scope of application was not so extensive until now.

Companies based in the EU, on the other hand, should find it easier to offer services and products because, ideally, individual national guidelines that previously had to be observed will no longer apply and only the GDPR will have to be observed.

Unfortunately, it is not quite that simple. In principle, the GDPR prohibits member states from weakening or strengthening the data protection laid down in the regulation through national regulations. However, the regulation contains various opening clauses that allow individual member states to regulate certain aspects of data protection on their own national level.

There will therefore continue to be national data protection laws that supplement and/or adapt the GDPR, as is to happen in the UK with the “Data Protection Adaptation and Implementation Act EU (DSAnpUG-EU)”.

Addendum: On November 25, 2019, the Data Protection Adaptation Act was announced in the Federal Law Gazette. This primarily involves a conceptual adaptation of many national regulations to the GDPR and does not involve any far-reaching changes for companies.

What Does the GDPR Regulate?

The GDPR regulates the legal basis for data processing, the rights of those affected and the obligations of those responsible. Existing rights of those affected are expanded and supplemented by new rights (e.g. the right to have data transferred more easily from one provider to another – data portability). The most important goals at a glance:

My Data at Companies

When people provide information to companies, for example because of a relationship with that company or in return for a service such as online ordering, the GDPR aims to ensure that those affected receive more information about the processing of their data.

Support for Data Portability

In future, personal data left with one company must be able to be easily transferred from one provider to the system of another provider if the person no longer wishes to use the services of one company.

The Right to Be Forgotten

The GDPR contains new guidelines on what needs to happen when a person no longer wants their data to be processed. The requirements have also been adjusted on the extent to which data can and must be deleted when there are no legitimate reasons for keeping it.

Reporting Data Breaches

A very important point for companies: How should companies proceed if a data breach occurs/has occurred? This is intended to ensure that the reporting of data breaches is regulated uniformly across European countries. The most important aspect here is that the relevant national authorities must be informed of serious data breaches as quickly as possible. This is to ensure that users can take appropriate measures to protect their personal data and – if financial information is affected – their bank accounts.

From a Company Perspective: What Needs to Be Considered?

These days, personal data is collected almost everywhere in the company.

Employees are increasingly working outside the company with laptops, smartphones or tablets, and cloud applications are also being used more and more in different companies.

The IT team is also no longer necessarily involved in every decision. This means that personal data is generated in individual departments and at individual workstations and is stored locally there. It is therefore almost impossible for the IT department to keep track of who has stored, accessed and used what, when and where.

Please note: In the future, fines will be able to amount to up to 20 million euros or up to four percent of the worldwide annual turnover, whichever is higher. The data protection authorities are also required to pursue violations more effectively and impose fines.

In order for a company to be able to act in accordance with the GDPR, the first step is to create an appropriate foundation. It is important to gain clarity about where personal data is collected and stored in the company. This is often and primarily the marketing and sales areas, but some personal data is also available in customer service and accounting.

At this point, the PCs that are available to employees when traveling and for home offices should not be neglected.

Once the foundation has been laid and it is clear where all personal data is collected and processed, it is important to provide it with a high level of protection and to document the data processing process. Theoretically, in the future it may be necessary to immediately account for how data processing is carried out in the company.

For companies that have already taken data protection seriously and documented this accordingly, it will be much less effort to comply with the new data protection regulations and be able to prove this. Although increased documentation and proof requirements will mean more work, they can be implemented quickly. Hard work will be required for companies that have not yet had any documentation of their data processing.

Privacy by Design and Privacy by Default

The GDPR requires compliance with the principles of “privacy by design” and “privacy by default”: personal data should not be collected for its own sake, but only when it is necessary to provide a service.

This means that data protection regulations must be taken into account when developing products and processes and data may only be collected when it is really necessary to provide the service (privacy by design). The default settings for devices or platforms must also have the highest technical level of data protection (privacy by default).

Conclusion

Not everything about the DSGVO or GDPR is new. Companies from the UK in particular will already be familiar with a lot of it, provided they have fully complied with the Federal Data Protection Act (BDSG). Some things only change slightly, but this must also be taken into account. Previous data processing and consent to data processing will only remain valid if they comply with the new regulations of the DSGVO. Not to be forgotten are the now much more severe penalties that can be imposed for data protection violations, which should give enough reason to deal with the issue.