The EU's General Data Protection Regulation is coming - what will this mean for companies?

The time is approaching: the EU General Data Protection Regulation ("GDPR") will be immediately applicable throughout the EU as of May 15, 2018, with priority over national law. Germany has enacted a supplementary law for this purpose, which specifies the requirements of the GDPR and will replace the current Federal Data Protection Act (BDSG) as of May 15, 2018.

Until then, companies still have time to adapt to the new regulations. Data protection authorities may not impose sanctions until after that date.

The EU's General Data Protection Regulation is coming - what will this mean for companies?

Objectives and scope of the GDPR

The aim of the GDPR is to create a uniform level of data protection throughout the EU. Up to now, each member state had its own data protection regulations, which were only partly based on EU law. However, digitalization does not stop at national borders, so the varying requirements of national laws pose a problem for companies operating across borders. The GDPR aims to remedy this situation and, above all, to ensure uniform rules and conditions of competition for data processing. The GDPR applies not only to data-processing firms established in the EU, but also to data-processing firms from outside the EU that collect data on “affected persons” in the EU.

The GDPR regulates the protection of personal data. Personal data is all the data used to identify a natural person ("affected person"). The GDPR is aimed at public authorities and all natural and legal persons ("responsible parties" and "contract processors") who process personal data. Processing means, for example, the collection, collection, organization, storage, modification, use, transmission and deletion of data - in short, any operation involving personal data. Every company has a great deal of such data (the Regulation mentions employee and customer data, but also suppliers and business contacts often contain personal data as well).

New accountability for data-processing companies

The GDPR defines numerous specific obligations that companies must fulfil. These tasks and responsibilities partly correspond to the previous regulations of the German Federal Data Protection Act, but are to a large extent different or new.

Persons responsible, e. g. the companies, are now accountable for compliance with these data protection regulations, i. e. they must prove compliance with them. They must set up and document their processes in such a way that the data protection authorities can prove that the data processing of personal data complies with data protection requirements.

Concrete need for action

The need for adaptation must be determined individually for each company. However, companies should address at least the following issues:

adapt or enter into contracts for order processing (with service providers),
customize or create a processing directory,
perform privacy impact assessments,
adapt or set up technical and organizational measures,
provide or adapt information for affected persons,
establish internal processes to fulfil the rights of the parties concerned,
appoint a data protection officer,
establish internal processes for reporting data protection breaches,
adapt or set up data protection management systems,
train employees.

The following procedure is recommended as a concrete action plan by May 2018:

determine the need for protection of the personal data processed
analyze and evaluate risks to personal data
define and implement measures to protect personal data
document the results.

Points 1 and 2 are based on the sensitivity and scope of personal data on the one hand, and on the nature of the existing IT infrastructure on the other. Companies should determine the probability with which kind of data can be threatened. Following on from this, in Point 3, measures to prevent damage to personal data should be defined and implemented. In Point 4, the measures taken should be documented so that GDPR conformity can be demonstrated to the supervisory authorities.

Significantly increased fines

A major change from the previous legal situation is that the scope for sanctions for breaches of data protection law is being extended enormously. The data protection authorities may or must impose "effective, proportionate and dissuasive" fines. The GDPR provides for a significantly increased fine of up to EUR 20 million or up to 4% of the total worldwide annual revenues of a company or group of companies.

Conclusion

Companies not only should but must align their data processing processes with the GDPR and the new BDSG. If they fail to do so, not only should they expect high fines from May 25, 2018 onwards, but there may also be a threat of damage to the image of the company among the public, who much more aware of this issue than in the past.

Dr. Björn Schallock , 24.10.2017 back to top

Related Topics

Compliance – Hot Topics for SMEs

Companies have to cope with more stringent regulations. This applies equally to large corporations and to SMEs. The topic of compliance has also long since reached SMEs, as shown in the first part of our study "Compliance – Handlungsoptionen im Mittelstand" published in the autumn of 2016. ...read more

What to expect in 2018: changes in tax and business law

The year 2017 was dominated by the Bundestag election campaign in Germany. As a result, legislative procedures were not pursued with the same vigor as in previous years. The formation of a new German government is still unclear. What can companies expect from 2018? ...read more

#Donald Trump: Is a foothold in the United States worth it for the German Mittelstand?

The United States is one of the most important markets for German companies in general and for the German Mittelstand in particular. This is reflected by the numerous German subsidiaries, branch offices and representative offices in that country. The Charlotte metropolitan area has become a magnet for German Mittelstand companies. More than 300 companies from the German-speaking countries have set up shop there. This is also borne out by the Chamber of Commerce in Charlotte. Sven Gerzer, the Vice President of the Chamber, is the primary contact person for German and other European companies. His main focus is on assisting German companies set up their US location. We asked Mr. Gerzer how the economic conditions and climate have changed in the Charlotte area since the presidential elections in November 2016. ...read more

Ebner Stolz Strengthens its Position as Market Leader in the Mittelstand

German accounting and consulting firm Ebner Stolz grew its revenues to €180.7 million in fiscal year 2016 – a 7.7% increase over the prior year. ...read more

Digital Transfer Pricing Management: Quality Assurance and Improved Efficiency

Profit allocation and thus the tax burden within a group of companies can be actively structured using transfer pricing. For this reason, the hurdles for the tax recognition of transfer prices have become much higher worldwide over the past few years. The current changes in the rules governing transfer pricing documentation are also the result of this development. ...read more

The EU's General Data Protection Regulation is coming - what will this mean for companies?

Objec­ti­ves and scope of the GDPR

New acco­un­ta­bi­lity for data-pro­ces­sing com­pa­nies

Con­c­rete need for action

Sig­ni­fi­cantly inc­rea­sed fines

Con­clu­sion

Related Topics

Com­p­li­ance – Hot Topics for SMEs

What to expect in 2018: chan­ges in tax and busi­ness law

#Do­nald Trump: Is a foo­thold in the Uni­ted Sta­tes worth it for the Ger­man Mit­tel­stand?

Ebner Stolz Streng­t­hens its Posi­tion as Mar­ket Lea­der in the Mit­tel­stand

Digi­tal Trans­fer Pri­cing Mana­ge­ment: Qua­lity Assurance and Impro­ved Effi­ci­ency