The clock is ticking and companies in the EU will have to meet the requirements of the new General Data Protection Regulation (GDPR) from the end of May 2018. The Regulation brings extensive changes for business, writes Herwig Thyssens.
“Companies and public authorities face hefty fines for non-compliance,” stresses Herwig Thyssens, “Head of T-Trust” at T-Systems, and goes on: “Nonetheless, lots of them aren’t prepared.”
According to studies by market researchers from Veritas Technologies and Bitkom, the German IT industry association, a great many companies are not yet geared up for implementing the GDPR.
The problem cannot be the time frame since the Regulation was drafted back in April 2016. It primarily aims to harmonize data protection law in Europe. The EU seized the opportunity to further develop data protection and adapt it to newer technologies.
The Regulation introduces countless new obligations for companies while giving EU citizens more protective rights for their data. The obligation to produce supporting documents, privacy by design, the right to be forgotten and the obligation to notify data breaches – there is a long list of conditions, and companies must act swiftly to comply with the new rules.
After all, companies that fail to observe the regulations on the storage and processing of personal data face fines of €20 million or up to four percent of their gross global sales.
Consumer rights and company obligations
Another important aspect is the strengthening of consumer rights, i.e. the rights of the data subjects. Consent from the data subjects will in future be governed by even tighter requirements; they will need to be informed, and any consent to data storage must be voluntary. In addition, the controllers will also have to be able to demonstrate compliance.
The previous right to erasure will also be extended to include a right to be forgotten with data in the public domain. Another new provision will allow data subjects to “take away” their provided data to another company in a structured, commonly used, machine-readable format. This data portability must be completed without any hindrance and directly between the controllers in each company.
There is also a range of new requirements for companies. First and foremost they now have greater responsibility for data protection with extended accountability. Instead of current reporting in the data processing register, controllers and processors will in future have to maintain a directory of processing activities.
Companies will also have to use privacy by default for their products and services. Consequently, companies should ensure that only a minimum amount of data is processed. Another principle is privacy by design: Companies must structure organization, processes and technologies in such a way that data protection is easier to comply with, among other things by encrypting and pseudonymizing certain data.
The Regulation also governs the appointment of a data protection officer as well as the implementation of a data-protection impact assessment. This is required wherever sensitive data from a data protection law viewpoint is processed, such as in medicine.
Companies must introduce GDPR-compliant procedures
“This demonstrates that quite a few changes are required in the companies. So for them, it’s high time to act,” explains Herwig Thyssens from T-Systems. “What they need is new technical/organisational measures and procedures for handling data. Companies must also train their staff and make them aware of data protection as well as implementing new software and processes – such as for data management and compliance management.”
So in the companies, the focus is squarely on the IT departments, which are faced with deciding whether the use of cloud services is data protection-compliant. The answer? It depends.
Firstly, data protection regulations such as the General Data Protection Regulation only apply to personal data, although this now affects the majority of applications. Secondly, the offerings of the numerous cloud providers differ in several respects.
For public cloud services and software-as-a-service offerings, in particular, the physical location of the data centre and the country that manages the cloud services are pivotal. Whether or not personal data leaves Germany and/or the European Union is the key issue here. This is the case as soon as the data appears on a support employee’s screen outside of the European Union.
Only when companies have fulfilled all these requirements with their own IT applications as well as with the used cloud services, will they be a step closer to complying with the GDPR.
At present, nobody knows to what extent public authorities will check compliance with the regulations and how consumers will react. So it is quite conceivable that from June 2018 the first particularly critical consumers will demand GDPR-compliant information about the data stored on them.
To what extent this will happen remains to be seen. But companies from all sectors should gear up for having to answer questions from consumers and data-protection authorities. The maxim here is: better safe than sorry.