Quick check GDPR: you should be able to answer these eight questions with a “yes”
In just a few more months, namely on 25 May 2018, the General Data Protection Regulation (GDPR) will be entering into force as the standard set of new rules for data protection within the European Union and the European Economic Area. For various reasons this could mean a turning point for data protection law: first of all, breaches can be penalised with very high fines of up to 4% of the annual global turnover. Secondly, the accountability principle will give rise to considerable documentation and verification obligations, associated with a reversal of the burden of proof; i.e. enterprises will have to be able to represent and prove their compliance of the new data protection law.
You need to ask yourself the following questions when you implement the GDPR:
- Have you set up an efficient data protection organisation, e.g. appointed a data protection officer?
Data protection officers can be appointed for each unit or for the group. Internal and external appointments are possible. The officer must have sufficient resources and your enterprise may also require additional expertise. Corporate groups can choose whether they wish to be monitored by a single data protection authority. Non-European enterprises must appoint a representative in
- Have you created a directory of your data processing and thus recorded what data processing takes place at your enterprise?
Many enterprises conduct “data mapping” to record all data processing activities. The directory of data processing is an important point of reference for the supervisory authorities and can serve as your centralised information point for data protection.
- Have you established, introduced and tested the corporate processes necessary for data protection, in particular for introducing new systems, for data protection impact assessments and breach notification obligations?
A key element of data protection law is the examination of risks, preventative data protection measures and data protection consequences. On this basis, adequate technical and organisational measures must be stipulated. Additionally, the introduction of deletion concepts and a procedure for notifying data privacy breaches are required.
- Have you introduced internal
guidelines and work instructions for your employees and trained your employees
An internal data protection guideline for employees listing all
essential obligations and further-reaching instructions, respectively a data
protection manual, are compulsory to prove a functioning data protection system.
Your employees need to be informed and correspondingly trained with respect to
- Have you checked and revised your data protection notice and declarations of consent, and have you set up effective processes for answering requests put by data subjects?
The notification obligations and other rights of data subjects have been significantly expanded. It is therefore necessary, amongst other things, to review data protection notices (for example “policies” on a website) and to establish effective processes to provide data subjects with a swift response to their requests (here, the GDPR contains new regulations such as a right to object to data processing based on “a legitimate interest” as well as a right to take your data with you).
- Have you introduced and agreed adequate model contracts for data protection, such as data processor agreements, secrecy undertakings, etc.?
According to the new data protection law, written agreements with contract data processors, other joint responsible parties, other persons acting upon instruction as well as secrecy undertakings of your own employees are a mandatory requirement. These documents, which have also been common practice in Germany to date, will have to be brought in line with the new legal situation and implemented with the contractual partners.
- Have you made the necessary adjustments to your employee data protection schemes?
Formal undertakings for employees, shop agreements as well as the data protection notices to employees will need to be adapted and revised.
- Do you transmit data to third countries and have you regulated this?
The essential instruments such as data protection agreements and the EU-US Privacy Shield remain in force. In future, however, even greater value will be placed on a clean implementation and documentation.
Oppenhoff & Partners’ ITC practice is involved in numerous GDPR implementation projects for medium-sized and major clients and would be pleased to help you with your implementation measures. Hence our motto for implementation: better earlier than later, but rather later than never.
Further information can be found in our GDPR news ticker.