The GDPR, which came into force in 2018, still poses challenges for companies within the European Union. Not only is there a need for comprehensive data protection compliance in many companies, but implementing individual regulations also raises many questions in practice.
However, it is a fallacy to believe that violations of the GDPR can be overlooked. Instead, sales-related penalties in the millions are imminent. But how can data protection be implemented in the company? And what obligations do companies have to fulfill? This article will tell you more.
Do you need support or have questions about data protection? Our team consists of experts from the fields of data protection law, IT, and security. We would be happy to support you in a non-binding personal meeting with any open questions you may have about data protection.
There is no denying that implementing data protection regulations means long-term work. Many companies, therefore, see the requirements of the GDPR as just another burden imposed on them, which means one thing above all: effort. However, the GDPR and its obligations also bring some advantages.
We have arrived in an age in which data misuse and hacker attacks have long ceased to be a rarity. Companies that emphasize data security and thus protect their customers and business partners can gain or maintain public trust.
In this way, they can not only retain existing customers and partners but also gain new ones and set themselves apart from competitors. But employees also develop a better sense of risk in their work and handle the data entrusted to them more carefully if they receive sufficient training and information.
In addition, the GDPR “forces” companies to take another close look at their processes and structures and to rethink them. This reveals where there are risks concerning data protection, which work steps may be outdated and obsolete, and where functions can be simplified.
If you take a close look at all your company’s processes, you can modernize your company and give it a thorough “clean-up” – in other words, make it fit for the future.
View the current change as an opportunity to bring about positive changes in your company, standardize processes, bring everything up to date and drive digitization forward.
In 2018, the General Data Protection Regulation (GDPR) came into force, which was intended to introduce uniform regulations within the European Union for data protection in companies and public authorities. The GDPR thus replaced national legal rules and created many innovations.
Data protection primarily means protecting personal data that is not or may not be accessible to the public. Personal data is all information that directly concerns a natural person, i.e., a human being, and reveals facts about them. This includes names, dates of birth, religion, health data, or that person’s connection with a company, whether as a customer, patient, or business partner.
Dealing with this information is always governed by data protection. There is an obligation to collect only the minimum amount of personal data and to prevent access by third parties. Therefore, only the necessary data may be collected in the first instance. Furthermore, this data must be protected so it cannot leak out.
In addition, the persons concerned have the right to determine which of their data they wish to disclose and whether this data may be processed or passed on (so-called informational self-determination).
In plain language: anyone who collects, stores, or processes data in their company must base their data processing on a legal basis and, for example, obtain the consent of the data subjects for the processing. The data subjects may revoke their consent once given at any time.
Especially in advertising, many companies are uncertain, as they often address and contact their customers directly via specific channels. In most cases, this also means data processing at the same time.
Even or primarily because the GDPR does not provide for any specific regulations on the topic of advertising measures, we believe it is essential to provide companies with some information:
Personal data may only be used to place advertising if there is no overriding interest of the data subject to the contrary, such as informational self-determination.
The fact that companies have a legitimate interest in data processing is presumed- this is important for economic growth. However, they must weigh which personal data is being used in each case and whether the protection of this is to be weighted higher than the advertising measure.
In principle, companies may continue to contact prospective customers and customers with direct advertising. According to the new GDPR, this must only be documented and controlled more strictly. In addition, they must comply with the applicable competition law, which requires prior consent in most cases.
Nothing has changed here due to the introduction of the GDPR, as telephone or email canvassing is regulated by the Act against Unfair Competition, which stipulates that the recipient’s consent is and remains required for newsletters, telephone calls, or email contact.
For newsletters, the recipient’s consent is always necessary. In addition, companies must already inform at the time of newsletter registration to whom and for what purpose data will be transmitted.
In most cases, it is sufficient to refer to the data protection information that you (must) provide on your website. There must also always be the option to unsubscribe from the newsletter.
Every recipient of advertising has the right to object to the sending of advertising at any time. As soon as the data subject provides their data, in addition to the information that the data will (also) be used for advertising purposes, the right to object must be pointed out.
According to the GDPR, companies must ensure adequate personal data protection through appropriate technical and organizational measures. This means they must weigh up which procedures and processing operations pose more or fewer risks and how high the level of protection must be.
Technical measures refer to data processing operations as such. These are measures that can be implemented physically, such as the installation of an alarm system or a light barrier.
Organizational measures are the rules and conditions of a data agreement. Here, courses of action should be defined and principles established that tell employees how to implement data protection.
Although the GDPR does not prescribe any courses of action, it does describe data protection goals that companies can use as a guide. However, how to achieve them is at the company’s discretion.
The decisive factor for the choice of measures is the existing risk to data subjects and their data. The riskier the processing and the more sensitive the data, the higher the data protection and security measures must be.
Companies must take measures on the following points:
It is not necessary to implement all technical and organizational measures and have them at hand at all times. Instead, it is a toolbox from which you select the appropriate measures and integrate them into your business processes.
Nevertheless, it makes sense to protect data processing with several measures. This way, your company is on the safe side and protects itself from potential incidents that can mean fines in the millions and reputational damage.
Compliance means adherence to all laws and guidelines relevant to companies, national or international. In addition to applicable commercial and corporate standards, this includes criminal and data protection laws.
In EU countries, the GDPR is of particular relevance. In practice, compliance requires taking care of the lawful conduct of the company in all business areas. In this context, whether the issue is labor law requirements in the HR department, billing practices in sales, or cross-departmental matters is initially irrelevant.
On the other hand, data protection compliance means adherence to data protection laws within the company. The central objective is to avoid liability risks and reputational damage by implementing data privacy compliance.
Advancing digitization and modern business processes mean a compliance strategy is only possible by considering the GDPR. An effective management system for data protection compliance is therefore required, which must be continuously monitored and further developed after implementation.
Non-compliance can result in sensitive penalties for companies – the relevant supervisory authority can impose up to 2-4% of annual global sales for violations. If such a penalty is set, it usually happens in public. Thus, a sanction may well impact a company’s image and cause customers, employees, and business partners to boycott the company.
To date, around 1,300 fines have been imposed in Germany, totaling 2,099,520,477 euros (as of October 2022). The seven highest fines already account for more than half of the total.
If these violations by Germany’s most prominent companies are factored out, the average fine per company is around 400,000 euros. What’s more, the damage to the company’s image lingers in consumers’ minds for years. Companies should therefore be conscientious when it comes to data protection and work with data protection experts who can provide them with comprehensive advice and support.
It is beyond the scope of this article to go into all the obligations of companies. In our knowledge center, you will find comprehensive articles on individual obligations’ requirements, which explain in detail which steps to take.
In the following, we have compiled a checklist for you, which should clearly illustrate where you can start in your company:
Implementing the regulations contained in the GDPR indeed means much work for companies. However, it should also be recognized that opportunities and benefits can certainly be drawn from the GDPR.
But even if you are still looking for a substantial advantage or sense in data protection, you should pay attention to it. The risks should never be underestimated.
You should therefore take precautions, identify and eliminate risks with tact and take appropriate measures for the best possible data protection. After all, if it’s too late, you could face a fine and, in the worst case, damage to your reputation.