GDPR - Respectful handling or scaremongering
How sustainability, transparency and commitment can be lived in practice
Steffen Schaar, Member of the Management Board of The Quality Group GmbH
Published in:DiALOG - THE MAGAZINE FOR ENTERPRISE INFORMATION MANAGEMENT | MARCH 2018
On 25.05.2018, the new EU General Data Protection Regulation (EUDSGVO) came into force. Hundreds of articles have already been written about it. Everyone is talking about it, some have already taken action, others are letting it come to them. Rarely has the threat of a fine been formulated so early and clearly, and it affects companies and private individuals alike. There is a fine line between respectful behavior and the associated action on the one hand and perceived scaremongering on the other.
Is it new that in times of Big Data, malware (spam and ransomware) and digital strategy claims, increased protection should belong to data and information? No, we have known this for some time. "But," many try to reassure themselves, "it's always been the others who have been hit so far."
It is about data (ownership), personal rights and obligations, it is about GMV - common sense. There are data protection (DS) officers, compliance officers, digital officers, organizational and information departments that are supposed to ensure regulated, legally compliant and audit-compliant, even compliance-secured processes in companies. And they are people with commitment, competence and, above all, a culture of decency and values. So why this hype, this flood of reports, threatening scenarios and recommendations, like a storm or earthquake warning?
"Digitization is postponed" - headlined a study in 2017, according to which over 50% of companies do not have time for digital strategies because of success. Are parallels to the GDPR to be expected here? Must not be, must not be, because "knowledge is data applied in the context of action." That's the theory. From my experience I add a personal wisdom: "Yesterday we managed data, today we manage information with digital methods, tomorrow we will have to apply digital knowledge for good strategies in a compliance-compliant & audit-proof way and file it DSGVO-compliant." This will succeed if we tackle it, not whine about it or talk it away. And so I'll dutifully join the queue of revisionssid advisors and share my approach to this topic as a basis for (practical) discussion:
The two most essential pillars are:
- The data protection officer is no longer responsible for the implementation of data protection, but will monitor its compliance. He is to support the organization, the employer in compliance, monitor and provide advice and assistance.
- The operational processes of the current (old) data protection shall be adapted:
- establish new processes for communicating with the executive floor.
- Adapt data protection notices, templates and declarations
- Revise and obtain new consent forms
- integrate new order processing policies into organizational processes
- transform into new obligations (data protection impact assessment, documentation requirements, etc.)
- establish new processes for communicating with the executive floor.
Formulated as a headline: "A "stepchild" mutates into a full-fledged family (company) member!". As in normal life, it is appropriate to deal with the new partner "GDPR" with the necessary respect and an appropriate (individual) corporate culture. It is in the family as in the company. A new member costs effort, needs appreciation, respect and care. The added value or benefit (advantage) usually only becomes visible when situations arise that we like to call challenges. So let's be positive and go on the offensive.
The most important topics, requirements and information on the GDPR in a compact form:
- Stronger involvement of the data protection officer, define responsibilities
- Establish data protection impact assessment/privacy impact assessment as a process.
- Design processes: Reporting obligations in the event of data breaches
- Design further processes: Data subject rights, information obligations, etc.
- Document all processes
- Adapt commissioned data processing (ADV) contracts
- Review directory of procedures For processors: create new directory of processing activities
- Set up training schedule
- Document (have documented) and evaluate technical and organizational measures (TOM), define responsibilities
- Check effectiveness of TOM, plan penetration tests and information security management
- If necessary, plan technical implementation of data subject rights - information, data portability, etc.
- Check forms and consents
- Adapt privacy policy, adapt web tracking if necessary