The new European General Data Protection Regulation

The new European General Data Protection Regulation (or EUGDPR or simply the GDPR) will enter into force on 25 May 2018, and will replace all national data protection regulations applicable to that time. The GDPR is presenting great challenges not only to data protection authorities, but also to every company, irrespective of size and number of employees. Smaller companies, even micro-businesses, which to date were only too happy to shunt the subject to data protection to the side – in effect saying “we are too insignificant”, are now directly affected by the scope of application of the GDPR.

The GDPR entails a multitude of new reforms in the area of data protection. New requirements will be imposed on data protection notices, the consent to the processing of data and to registers of procedures, for example. Companies will in future be obliged to draft data protection guidelines, introduce a data protection management system and make appropriate changes to existing IT directives, employment and works agreements. In addition it will be necessary to revise the procedures for information requests from data subjects, or for responding to data leaks.

One wholly new development is the “privacy impact assessment”. This type of assessment will in future always have to be performed where there is large-scale processing of special categories of data. As the first step, companies have to determine the extent to which sensitive data will be processed and saved. The second step is to assess the risk of the extent to which a misuse of data could interfere with the rights of others, and which the possible negative impacts of such interference could be.

Another new aspect is the definition of Auftragsverarbeitung (personal data processing under contract). Auftragsverarbeitung largely corresponds to the term Auftragsdatenverarbeitung (commissioned data processing) as used by German data protection law. Currently, in the case of a commissioned data processing arrangement (such as outsourcing functional areas to an external provider), it is a legal obligation for the principal and the contractor to enter into a commissioned data processing agreement in accordance with the stipulations of Section 11 German Federal Data Protection Act ( (Bundesdatenschutzgesetz, BDSG). The rules imposed by Art. 28 GDPR on Auftragsverarbeitung (personal data processing under contract) are more rigorous. This prescribes that any existing agreements must be amended in line with the new requirements, and that future agreements must be drafted correspondingly.

Companies will also have an obligation to sensitise their employees to the subject of data protection. The main consequence of this will be a greater need for training. Employees must be made aware that data protection is a continuous process.

The upshot is that every company within the European Union is instructed to independently ensure they adapt their corporate structure to the necessities of the GDPR. The regulatory authorities are already indicating that failures in the process of implementation or the identification of infringements against the GDPR will be liable to significant penalties. This could be quite tough on large and smaller companies alike, especially as the upper limit of potential fines is being raised from 300,000 Euro to a maximum limit of 20 million Euro, or up to 4% of the total annual revenue generated worldwide in the previous financial year.

We are able to support you, particularly regarding:
  • the drafting of data protection policies and concepts
  • creating registers of data processing activities (previously known as Verfahrensverzeichnisse, or procedure registers)
  • rules on processing personal data processing under contract
  • ensuring that rights of data subjects are respected
  • ensuring that a data processing system is established in accordance with the data protection laws
  • maintaining security during data processing
  • introduction of a database management system
  • performing data protection audits/certifications
  • preparing data protection documentation
  • introduction of a data protection risk management system
  • implementation of the data privacy impact assessment
  • implementation of legally compliant data processing arrangements within the employment relationship (employee data protection)
  • handling consents
  • handling information requests from data subjects and responding to data protection infringements
  • performing “emergency drills” (e.g. in response to data protection infringements, information request)
  • drafting data protection training plans
  • drafting or modifying employment and works agreements
  • drafting IT guidelines and work instructions