GDPR: Key facts for perfect preparation
On 25 May the time has come: The new GDPR (General Data Protection Regulation) will become effective. But what does this mean for companies and how can one best prepare for it? For optimal preparation, we have especially appointed a data protection officer and now would like to share our knowledge with you. The key facts about GDPR are set out in this article.
In the animal kingdom, one would imagine the current situation like this: The elephant trumpets, the tiger roars, the monkey pulls the hair of the primate on the neighbouring branch. Big turmoil, absurd excitement. Such situation could be triggered by an imminent storm or a herd of wild long-haired oxen - in our world it is the upcoming GDPR. But seriously. Th GDPR currently drives sweat on the brow of many entrepreneurs, because the due-date is 25 May 2018 already. This means: Companies face a penalty of up to EUR 20 million or up to 4% of the annual global turnover if the bible of the data protection God is not implemented. Since we are affected by this, we had an in-depth look into this issue.
Let's start from scratch: The letters of the acronym stand for General Data Protection Regulation. Starting in May, the new EU regulation will have direct effect in all member states and is intended to create a uniform legal framework for the entire data protection issue. Our society is becoming more and more digital, the volume of data is ever extending and in recent years there was an increase in - let's call it a creative interpretation of the Data Protection Act. This is because individual EU countries have interpreted privacy laws differently than others, which lead to inconsistency. This is to be changed now. Basically, previous fundamental data protection principles are maintained and are even emphasised in the law, but the individual elements of the Data Protection Act are much more detailed with the aim to omit grey areas.
The basics of the GDPR - what is not permitted
Let's first deal with the basics of the GDPR. What are the fundamental principles of data protection to date? In a nutshell, it includes:
• Transparency: Processing of personal data must always be retrievable by any person concerned. This means that a full privacy statement will be required in future.
• Purpose: All data collected may only be processed for the intended purpose. A prerequisite for this is that the purpose for which the data is required is defined and documented at the beginning of the processing procedure. According to Art 6(4) of the GDPR, a subsequent change of purpose is only permissible, if it corresponds to the original purpose.
• Prohibition with reservation of permission: In principle, all data may only be processed in accordance with the law and any processing of personal data is prohibited, unless permitted by law.
• Data economy: The processing of personal data is limited to the purpose of processing. Data may not be used for other purposes, to prevent "stocking up of collected data" (Art 5(1)(C) GDPR).
• Confidentiality: All personal data must be protected from unauthorised access, destruction or alteration by means of technical and organisational measures.
These principles are the basics of the GDPR and have now been put into concrete terms regarding scope, expression and of course the consequences. On the one hand, this serves to protect personal data, on the other hand however, it considerably limits companies in their routine data processing. However, let's first concentrate on personal data. So far, especially the definition of this wording was a downright individual matter of interpretation. The new GDPR has made specific changes to this terminology and a clear definition was laid down in Art. 4(1) of the GDPR:
Personal data is data that can tentatively identify a person.
This means a person does not necessarily have to be identified, but the mere fact suffices that information is available, by means of which he/she can be identified. These now include pseudonymous cookies, as well as IP addresses or similar "online identifiers". This particularly confuses the world of online marketing, because many tracking concepts and analyses of data for re-targeting etc. will now be more difficult to implement. But also the agency industry is highly affected due to its extensive volume of customer data and must modify its data protection processes. We have thus closely scrutinized our PROAD agency software and gained information on other specific changes adopted in the GDPR:
• More rights for natural persons: As from 25 May, the express consent is required from all persons from whom data is collected. This also includes all information on location and time of the data - which data was stored where and since when?
• Extraterritorial application: The world is becoming increasingly connected and data can be received and sent from everywhere. Therefore, territorial application has been defined more precisely: What counts is, where the data flows to and not where you work from.
• Risk-based accountability: Each company is now responsible for ensuring that all effective data privacy measures are taken.
• Obligation to report violations: If the data protection obligation is violated, the person responsible must inform the supervisory authority within 72 hours.
• Data protection officer: Companies whose employees are not subject to a professional permit and have more than 10 employees, are now compelled to appoint a data protection officer. This position can be assumed by an internal employee or an external person.
Your advantages - what you are permitted to do
However, the GDPR does not only involve disadvantages or pose more limitations on businesses. Data privacy also has economic interests. The protection of personal data now also allows free data movement. This enables more flexible handling of protected data. However, it should be noted at all times, that anonymous data is only considered anonymous, if no tracing of a specific person is possible. Furthermore, personal data may be processed as before, provided that its purpose is to fulfil a contract or a pre-contractual request. Processing is also permitted, if it is required by other laws and now there is a very special clause, which attracts the attention of most business people:
Processing of personal data is allowed on the basis of legitimate interests.
So far so good. Then legitimate interest is a matter of interpretation? Well, certainly not, because if we have learned one thing from the GDPR, it is that nothing can be insinuated any more. Justified interests, in particular are economic interests and we have summarised them for you in a graph.
We are ready
Quite a lot of input on the GDPR, which we also had to deal with first. But since we did not want to do anything wrong, we directly got professional help by hiring an external data protection officer. Thereby, our company and especially PROAD Software are well-advised: we prefer to ask twice to prevent any blunders in connection with data protection. To get you prepared as well, we have compiled a check list for you to face May in a more stress-free way. For many, 25 May 2018 might seem a long way to go, but we rather advise now, before it is too late: The GDPR has already entered into force; 25 May is merely the day on which the new EU Act will unfold its full effect. Our recommendation: Rather deal with this subject in time, because there is no mitigation for companies, who have not adapted their data processing according to the GDPR in due course. With our data protection officer, we are now optimally prepared, but one question still seems to remain unanswered: Can acronyms be branded "worst word of the year"? GDPR certainly would have great potential.