Companies have until May 25, 2018, to prepare for the changes brought about by the European General Data Protection Regulation (GDPR). Smaller companies and startups are just as affected. Because violations can result in high fines, a seamless transition is especially important for small and young businesses. The following checklist guides you through the most important aspects of the GDPR – by our guest author Tanja Müller for the Professional Association of Legal Journalists.
The GDPR is primarily intended to strengthen the protection of personal data for all EU citizens. This means that non-European companies must also comply with the new data protection regulations when it comes to data of EU citizens. Personal data is information that can be assigned to a specific natural person and thus makes that person identifiable.
This includes, for example, name, date of birth, contact information, and bank account details. Furthermore, information concerning a person's origin, political opinions, religious beliefs or ideology, trade union membership, health, and sexuality is subject to stricter protection.
Checklist: The most important points of the GDPR that entrepreneurs must implement
1. Affected persons must be informed
Those who know the rights granted to data subjects by the GDPR can implement the technical and organizational requirements of the regulation more effectively. For example, according to Articles 13-15, the data subject has the right to information about the personal data stored about them. This right to information gives rise to an obligation for businesses to provide information. The data subject must be informed precisely about which data is being processed, how it is processed, and for what purpose.
Articles 16-20 of the GDPR also grant the data subject the right to rectification and erasure of data. This means that controllers must notify all recipients "to whom personal data have been disclosed of any rectification or erasure of the personal data or restriction of processing" (Article 19, Sentence 1 of the GDPR).
Finally, pursuant to Art. 21 GDPR, every person whose personal data is processed by the controller has the right to object. Consequently, the controller must be technically and organizationally capable of responding promptly and reliably to an objection.
2. Data processors must guarantee compliance with the GDPR
Some companies do not process the personal data of customers and consumers themselves, but outsource this to another company. According to Article 28 of the GDPR, they may only do so if the data processor provides sufficient guarantees "that appropriate technical and organizational measures are implemented so that processing complies with the requirements of this Regulation [...]."
If the data processor commissions third parties, he must obtain the consent of the responsible party.
3. A record of processing activities must be created
Article 30 of the GDPR requires responsible companies to maintain a record of all processing activities. Paragraph 5 of the regulation grants small and medium-sized enterprises exemptions from the documentation requirement. A company with fewer than 250 employees is only required to maintain such a record if...
- the processing carried out poses a risk to the rights and freedoms of the data subject,
- the processing is not only occasional,
- only processing of special categories of data (defined in Art. 9 Para. 1 GDPR) or
- of personal data relating to criminal convictions and offences (within the meaning of Article 10).
Small businesses and startups whose business model is primarily based on innovative data processing or related technologies are still subject to documentation requirements.
Documentation is also important because controllers are required to report a personal data breach to the supervisory authority and inform the data subject. The record then makes it possible to trace which data was affected by the breach.
4. Appointment of a data protection officer
If data processing is carried out regularly, systematically, and extensively, a data protection officer must be appointed or hired. An employee or an external candidate is equally eligible for the position.
However, this person must have the necessary expertise in data protection and be able to advise the company on this matter and monitor compliance with data protection regulations (also in cooperation with the supervisory authority). Failure to comply with this rule can result in a fine of ten percent of global annual turnover or up to ten million euros.
Data protection-specific certification procedures
According to Art. 42 GDPR, it is possible to obtain certification. For this purpose, data protection-specific certification procedures, data protection seals, and certification marks are being introduced. Companies that receive this certification can demonstrate to customers and consumers that they adequately comply with the GDPR. Small and medium-sized enterprises often do not yet have the same capacity to implement the GDPR as larger companies. Therefore, the size of the company is taken into account according to Art. 42, Paragraph 1, Sentence 2.
More information on the new General Data Protection Regulation, which will become binding for all EU member states on 25 May 2018, can be found in an eBook on the topic, available free of charge in the GDPR guide.
About the author
Tanja Müller studied journalism and communications at the University of Münster. Today, she works as a freelance journalist for various associations. Her articles focus on issues related to data protection and copyright law.
