Until then, companies still have time to adapt to the new regulations. Data protection authorities may not impose sanctions until after that date.
Objectives and scope of the GDPR
The aim of the GDPR is to create a uniform level of data protection throughout the EU. Up to now, each member state had its own data protection regulations, which were only partly based on EU law. However, digitalization does not stop at national borders, so the varying requirements of national laws pose a problem for companies operating across borders. The GDPR aims to remedy this situation and, above all, to ensure uniform rules and conditions of competition for data processing. The GDPR applies not only to data-processing firms established in the EU, but also to data-processing firms from outside the EU that collect data on “affected persons” in the EU.
The GDPR regulates the protection of personal data. Personal data is all the data used to identify a natural person ("affected person"). The GDPR is aimed at public authorities and all natural and legal persons ("responsible parties" and "contract processors") who process personal data. Processing means, for example, the collection, collection, organization, storage, modification, use, transmission and deletion of data - in short, any operation involving personal data. Every company has a great deal of such data (the Regulation mentions employee and customer data, but also suppliers and business contacts often contain personal data as well).
New accountability for data-processing companies
The GDPR defines numerous specific obligations that companies must fulfil. These tasks and responsibilities partly correspond to the previous regulations of the German Federal Data Protection Act, but are to a large extent different or new.
Persons responsible, e. g. the companies, are now accountable for compliance with these data protection regulations, i. e. they must prove compliance with them. They must set up and document their processes in such a way that the data protection authorities can prove that the data processing of personal data complies with data protection requirements.
Concrete need for action
The need for adaptation must be determined individually for each company. However, companies should address at least the following issues:
- adapt or enter into contracts for order processing (with service providers),
- customize or create a processing directory,
- perform privacy impact assessments,
- adapt or set up technical and organizational measures,
- provide or adapt information for affected persons,
- establish internal processes to fulfil the rights of the parties concerned,
- appoint a data protection officer,
- establish internal processes for reporting data protection breaches,
- adapt or set up data protection management systems,
- train employees.
The following procedure is recommended as a concrete action plan by May 2018:
- determine the need for protection of the personal data processed
- analyze and evaluate risks to personal data
- define and implement measures to protect personal data
- document the results.
Significantly increased fines
A major change from the previous legal situation is that the scope for sanctions for breaches of data protection law is being extended enormously. The data protection authorities may or must impose "effective, proportionate and dissuasive" fines. The GDPR provides for a significantly increased fine of up to EUR 20 million or up to 4% of the total worldwide annual revenues of a company or group of companies.
Companies not only should but must align their data processing processes with the GDPR and the new BDSG. If they fail to do so, not only should they expect high fines from May 25, 2018 onwards, but there may also be a threat of damage to the image of the company among the public, who much more aware of this issue than in the past.