In general, SoftGuide - an internet portal for business software - advises companies to make data protection and the implementation of the GDPR a top priority. Checklists can be used to create a register of processing activities - possibly with the help of data protection software and external assistance. Points of contact here are the state supervisory authorities responsible for data protection, IT service providers specializing in data protection or lawyers specializing in IT.

According to SoftGuide, the following eleven points in particular need to be considered with regard to the new GDPR coming into force:

1. clarify responsibilities

Have the responsibilities for data protection been clarified in the company? Is there a data protection officer and has he or she been notified to the competent supervisory authority in accordance with Article 37(8) GDPR? SoftGuide advises summarizing the data protection objectives in a guideline and making the relevant employees aware of the data protection risks.

2. check the lawfulness of data processing

Article 6 of the GDPR regulates the lawfulness of data processing. This article provides a checklist in paragraph 1. If the data subject has given their consent, the data is used to fulfill a contract (e.g. data to a freight forwarder). If the data is collected due to legal obligations - such as for invoice archiving - it serves to protect vital interests of people (such as medicine) or there are legitimate interests of the controller or a third party (such as IT security, compliance, working time recording).

3. handling of personal data

Personal data includes not only a person's name, address and date of birth, but also their income, their purchasing behavior, their IP address and their surfing and clicking behavior. It is important to note in connection with this personal data that consent to data processing is only possible from the age of 16 and that parental consent is required in advance for younger children. Data controllers must prove that the data subject or legal guardian has consented to the processing of their personal data or that of their child.

Companies are accountable

4. the "right to be forgotten"

With the entry into force of the new GDPR, companies are obliged to delete personal data if the data subject so wishes. There must be corresponding data processing guidelines in the company for these processes.

5. register of processing activities

A significant change to the previous legal regulation is that the company will have a so-called accountability obligation in future. This means that when processing data, the company must provide evidence that the processing complies with the GDPR requirements. In addition, every company must demonstrably pursue data protection objectives such as data avoidance, transparency of processing and purpose limitation. It is therefore no longer enough to comply with the data protection requirements; you must also be able to prove this to the supervisory authorities. Upon request, the company must submit these records of processing activities to the supervisory authority.

According to SoftGuide, a lack of proof can lead to a fine - even if the processing was carried out in accordance with the law. Some issues are not yet clearly regulated. For example, according to the Federal Association of Data Protection Officers, it is unclear how companies must handle customer consent if they wish to collect personal data for multiple purposes.

Although Article 30(5) of the GDPR contains exceptions regarding the maintenance of this register, these are so specific that basically all companies (including micro-businesses, medical practices, pharmacies, educational institutions and associations) must keep such a register. SoftGuide recommends creating these registers for the different processing activities individually, for example for the CRM system, the HR information system or the time recording system.

Obligation to self-disclose data breaches

6. dealing with processors

All companies involved in data processing - including external companies such as tax consultants - must be contractually bound.

© ginasanders - 123RF

If the company passes this data on to external parties for data processing - to so-called processors such as Datev, tax consultants and logistics companies - this must be done on the basis of a contract or "other legal instrument" in accordance with Article 28 GDPR. If the processor commissions a sub-processor, the same data protection obligations that apply to the processor must be agreed.

Maintenance and remote maintenance of company systems also require a contract for commissioned data processing if the company cannot explicitly ensure that access to personal data can be avoided with absolute certainty as part of maintenance/remote maintenance.

7. assessment of data protection consequences

For critical data processing - such as video surveillance - the company must provide a detailed description of the basis on which the processing is carried out prior to processing. An assessment of the associated risks is also necessary.

8. obligation to report "data breaches"

Companies are obliged to report data breaches to the supervisory authority. These must be reported within 72 hours. In addition, the person affected by the data breach must be informed immediately. In addition to hacker attacks, data breaches also include data loss and unauthorized access to personal data. A notification to the supervisory authority is only not required if "the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

Update company website

9. update privacy policy for websites

The amendment to the General Data Protection Regulation increases the information obligations of website operators: For example, they must point out the legal basis for data processing. According to SoftGuide, it is therefore important to update the existing data protection declarations on company websites.

10 The 'Privacy by Design' principle

'Privacy by design' is a principle that is already applied in the development of hardware and software for data processing: Even at this stage, the developing companies are obliged to take data protection regulations into account. The GDPR is intended to ensure that technical and organizational measures are taken early on in the development stage.

11 The 'Privacy by Default' principle

Privacy by default means "data protection through privacy-friendly default settings". In the case of software, for example, the default settings must be designed in such a way that the user does not have to make any further data protection settings in order to protect their privacy. This regulation also applies to non-European companies that are active on the European market.