(Böblingen) The new EU General Data Protection Regulation (EU-GDPR) will enter into force on 25th May 2018. Hundreds of articles have already been written about it. Everyone is talking about it, some have already acted, others are letting it happen. Rarely has pressure in the form of the threat of fines been formulated so early and so clearly, affecting companies and private individuals alike. There is only a fine line between respectful interaction and the associated actions on the one hand and the feeling of panic on the other.
Is it new that in times of Big Data, malicious software (spam and ransomware) and strategic digital demands that increased protection should be given to data and information? No, we've known this for a long time. “But”, as lots of people are saying attempt to calm themselves, “it’s only other people that have ever been affected”.
It is about data (ownership), personal rights and duties, it is about common sense. There are data protection (DP) officers, compliance officers, digital officers, organisational and information departments that are supposed to ensure regulated, legally compliant and audit-compliant processes are carried out in companies. And they are people with commitment, competence and, above all, a culture of decency and values. So why this hype, this flood of reports, threat scenarios and recommendations, such as would be common with a storm or earthquake warning?
“Digitisation is postponed”, was the headline in a study in 2017, which said that more than 50% of companies have no time for digital strategies due to success. Are parallels to the GDPR to be expected here? It doesn't have to be, it mustn’t be, because “knowledge is data applied in the context of action”. That's the theory. From my experience, I’d like to provide a nugget of personal wisdom, “Yesterday we managed data, today we manage information with digital methods, tomorrow we will have to apply digital knowledge for good strategy compliance in a conformant and audit-compliant way, and we will have to store it in accordance with the GDPR”. This will succeed if we approach it properly, do not complain or discuss it into the long grass. And that’s why I am putting in the queue of advisors and provide my approach to this topic as a basis for discussion for the (practical) best:
The two most important pillars are:
- The Data Protection Officer is no longer responsible for implementing data protection, but will monitor compliance with it. They should support the organisation, the employer, in ensuring compliance with the legislation, monitor it and be available with advice.
- The operational processes of the current (old) data protection must be adapted:
- Establish new processes in communication with the executive level
- Adapt data protection notices, templates and declarations
- Revise and obtain new declarations of consent
- Integrate new order processing guidelines into organisational processes
- Convert measures (data protection impact assessment, documentation obligations, etc.) into new duties.
Formulated as a headline, “A ‘stepchild’ becomes a fully-fledged family (company) member!”
As in normal life, the necessary respect and an appropriate (individual) corporate culture should be shown to the new partner “GDPR”. It is done so in the family, as well as in the company. A new member requires effort, needs appreciation, respect and care. The added value or benefit (advantage) usually only becomes visible when situations arise that we nowadays like to call challenges. So, let's be positive and go on the offensive.
The most important topics, requirements and information on GDPR in a compact form:
- Greater involvement of the data protection officer, defining responsibilities
- Establishing a privacy impact assessment as a process
- Designing processes: Reporting obligations in the event of data breach
- Shaping other processes: rights of the party concerned, information duties, etc.
- Documenting all processes
- Adapting contract data processing (CDP)
- Reviewing the procedure index
- For processors of orders: Creating a new list of processing activities
- Establishing a training schedule
- Documenting and evaluating technical and organisational measures (TOM) and defining responsibilities
- Testing the effectiveness of the TOM, planning penetration tests and information security management
- If necessary, planning the technical implementation of the rights of the parties concerned - information, data transferability, etc.
- Reviewing forms and consents
- Adapting data protection declaration, adjust web tracking if necessary
All in all, this presents the challenge of being able to access data, information, documents, agreements and contracts quickly, at any time and from any location. Organisational procedures and processes must be organised in such a way that efficient data (protection) management for enterprise-wide information can be realised across departments and lived transparently.
To put it succinctly, “The benchmark is not the medium, but the employees are. Their actions, in the sense of transparent documentation, filing and compliance with organisational processes, allow the EU-GDPR to be properly anchored in companies”. That way, it is not a threat, but rather a benefit in the sense of data (protection), the careful handling of sensitive personal data, and also in relation to the deletion of data.
So how can you implement the EU-GDPR practically and with the necessary respect?
- Interpret the law for yourself and your organisation, define your individual requirements and draw up a short-term list of measures, as well as long-term organisational processes, with deadlines for monitoring compliance and, if necessary, a CIP.
- According to the legal regulations, certain personal data must be stored in an audit-proof manner and protected against deletion and manipulation. A major innovation in the EU-GDPR is the “right to be forgotten”. It must therefore be possible to delete data, including links and references. An enterprise-wide, cross-departmental information (data) management solution in the sense of EIM (Enterprise Information Management) is a long-term, measurable investment for a future-orientated solution, which is above all modularly expandable to react to agile changes in your company's digital strategy (data protection is an important part of it!).
- When securing your data and compliance, it is usually advisable to rely on proven support. Consultancy firms and solution providers have prepared themselves well for the topic of EU-GDPR and positioned themselves with appropriate checklists and solutions. A good decision is for both consulting and the solution to come from a single source, such as the TQG businessApp platform, with an app as a data protection dashboard. Here you have contracts, documents, procedural control, persons in charge, cases and obligations to provide evidence/reporting, all clearly arranged in one app, configurable and expandable.
The responsibility now lies, as described above, in the organisation, not only with the DP representative. They are the person that supervises and advises, the organisation carries management measures into practice, the implementation and compliance with EU-GDPR. Employees and people with responsibility face the challenges together as a team! By doing so, it will be possible to design digital transformation in such a way that we will be able to combine one of the most valuable resources of the future - data - with the highest possible value.