27/02/2018
The upcoming data protection reforms being introduced by the European Parliament mean the rules of the game are changing for companies. Non-compliance can quickly become very expensive.
The new EU General Data Protection Regulation (GDPR) is on its way. There are only three months left before the new guidelines go into effect for members of the European Union. Starting May 25, 2018, companies will be playing by new rules when it comes to data processing and protecting personal data. Failure to do so could mean penalties of up to 4 percent of an entire group’s sales from the previous year. Meaning many companies could quickly be faced with fines that far exceed the old maximum fine of 300,000 euro, the limit that was previously set under the Federal Data Protection Act (BDSG), should they fail to adequately prepare themselves. Markus Mergle, an IT consultant and expert in IT security and data protection at msg, has summarized the most important aspects of the GDPR so companies can take a much-needed and critical last look.
Data storage and data locking
Under the new EU GDPR, personal data recorded with the consent of the person in question is now subject to new storage and deletion requirements. “Purposefulness” is the name of the concept behind the reforms and means that companies are not allowed to store any data that is no longer needed for the purposes they originally collected the data for. Based on this new requirement, it would be a good idea for companies to start implementing deletion processes in order to avoid breaching the new conditions and in order to comply with retention periods.
In addition, the parties in question have the right to request that their data be deleted at any time, although the legitimacy of the request does have to be verified first. Once a request has been submitted, however, the data can no longer be processed, not even during verification. Thus, implementing a lock function for that data would be strongly advisable. Important: customer-focused companies face a different set of challenges and, in their case, it would be a good idea not just to implement locks on the customer level, but to implement more detailed and complex locking options as well. This would ensure, for example, that only data related to a specific contract would be locked in case of disagreement, while leaving all remaining contracts untouched.
Business model for attorneys: heightened information obligations
Another important point is the heightened information obligations. Articles 13 and 14 of the GDPR stipulate that companies must prepare and provide the parties in question with more extensive and more detailed information in order to meet the new information obligations defined in the latest legislation. Accordingly, companies should not simply rely on templates found on the web when creating these kinds of information packets and instead, should invest time and work in creating a sound information model. It should also be assumed that more and more clients, and even law firms on behalf of their own clients, will make greater use of their right to demand information. Although this right is not new, the activation of the new GDPR will result in more pitfalls for companies and general interest in the topic will likely grow. Last, but not least, some attorneys have already announced they intend to sue companies for material and immaterial damages should they fail to fully meet the requirements when handling their clients’ information. In order to provide the requested data, and do so in compliance with the law, companies must have constant knowledge of which data is being processed and where that data is located. Maintaining a detailed data directory, as well as implementing a data protection management system are thus both strongly recommended.
Anyone can get hacked – fast action is what makes a difference
No matter how well-equipped a company might be against cyber criminals and their attack tactics, none of them are an invincible data fortress. Any company can be the victim of a hacker attack. That is why it is important to make it as difficult as possible for criminals to find gateways to their data. Companies must take preventive measures and verify those measures with regular penetration tests. Just as decisive is the ability to take the right action if worse does come to worst. Supervisory bodies are reinforcing that point, mandating that companies immediately report losses or cyber-attacks. Immediately, in this case, meaning supervisory bodies must be notified within 72 hours of an attack being discovered. Well-developed incident response management can help, giving companies an overview of the data and enabling them to quickly react to incidents.