Data protection compliance: What the GDPR requires of companies
As a result of growing digitization, the flow of data is also increasing all the time. As a result, data protection compliance and data security are becoming increasingly important for companies, which has also been recognized by policymakers for several years now.
However, the use of technologies and automated processes leads to a risk for data protection. Companies must be highly conscientious during collecting, storing, and processing personal data.
A data protection compliance strategy can help meet the legal requirements and provide an overview of the status of processing operations and processes. This article will show which requirements must be completed under the GDPR and how you can best proceed.
The most important facts in brief
- Compliance means the integration of guidelines into the company for adherence to legal requirements.
- Part of such corporate compliance is also data protection, the main objective of which is to protect personal data.
- Data protection compliance helps to integrate structures and processes in the company, which work together to form a comprehensive compliance management system, thus enabling compliance with the GDPR.
- Data protection also plays a role in other compliance measures. For this, compliance managers and data protection officers work closely together.
Definition: Data protection compliance
The term compliance is understood to mean adherence to all laws and guidelines relevant to companies. This includes standards at both national and international levels (here, especially EU law). In addition to applicable commercial and company law standards, this includes criminal and data protection laws. In EU countries, the GDPR is particularly important.
So-called compliance managers check that the company’s conduct complies with the law in all business areas – from labor law requirements in the HR department to billing practices in sales and cross-departmental data protection. As part of data privacy management, processes are created that are necessary to implement and ensure the essential requirements of data privacy in the planning, setup, and operation of data processing.
Effective measures to protect personal data are necessary to ensure that data privacy in the company complies with the law. This involves explicitly sensitive data that affects the rights of natural persons.
Good to know: Company-sensitive data is mainly irrelevant to legal regulations. Even if companies are interested in protecting secrets (such as company secrets), these do not play a role in implementing the GDPR. The GDPR – a uniform data protection standard at the EU level – replaced national data protection laws in May 2018. The GDPR must therefore guide anyone who wants to meet the legal requirements.
Data protection compliance means adherence to data protection regulations in companies. The central goal is to protect the data subjects, avoid liability risks for companies, and prevent damage to their image due to data leaks and unauthorized data processing. Accordingly, the company’s data security directly impacts its reputation.
Due to advancing digitalization and modern business processes, a compliance strategy is only possible by considering the GDPR. An effective data protection compliance management system is therefore required, which must be continuously monitored and further developed after implementation.
Data protection compliance under the GDPR
The GDPR requires that the processing of personal data is organized so that companies can demonstrate compliance with legal requirements at any time (so-called accountability, Article 5 (2) GDPR).
This refers to all data processing principles enshrined in the law:
- Lawfulness, processing in good faith, transparency
- Purpose limitation principle
- Data minimization
- Requirement of the accuracy of data
- Principle of storage limitation
- Integrity and confidentiality
Companies must weigh what measures they can take to meet specific requirements. Other factors such as technical possibilities, costs, type and scope of data processing, and risk severity must also be considered. The goal is to minimize data flow and protect data subjects’ rights.
Implement these technical and organizational measures in your company to monitor them continuously and improve them if necessary. In many cases, an external data protection officer’s neutral view immediately identifies typical errors or inefficient processes.
Among other things, you must keep a register of processing activities (Art. 30 GDPR). Creating or regularly maintaining this register is time-consuming, but it enables you to achieve targeted and effective data protection compliance in the long term.
For some processes, you must also conduct a data protection impact assessment (Art. 35 GDPR). With the abundance of data protection obligations, it can help to hire a data protection officer, which is even mandatory in some cases (Art. 37 GDPR).
In addition, mechanisms must be integrated to report to the competent supervisory authority within 72 hours in case of a data protection breach (Art. 33 GDPR). In addition, it may be necessary to notify the individuals affected by the data breach (Art. 34 GDPR). Generally, companies should cooperate and maintain exchanges with the competent supervisory authorities and the data subjects.
GDPR: Data subject rights of central importance
Companies must also observe the rights of data subjects (Art. 12-22 GDPR). These include, for example:
- the duty to inform
- the duty of clarification about the collection of data
- the revocation of consent
- the right to information
- the right to deletion of data
- the right to data portability
Data subjects should also be able to contact your company as quickly as possible and find a competent contact person responsible for data protection matters in practice.
Data privacy compliance management for companies
Before you start implementing data protection laws and incorporating appropriate measures into your processes, you should take stock of the situation. This involves taking a close look at the status quo and analyzing the current status of your data protection compliance.
Here’s how you can proceed:
- Identify and document existing data processing operations (you can create a register of processing activities simultaneously)
- Review existing organization for efficiency and legal compliance
- Subject internal company processes to a risk analysis
Ideally, your inventory will result in a need for adaptation, which can now be broken down into smaller, individual action steps and then implemented. It is essential to define and delineate responsibilities clearly and document deadlines.
In most cases, the scope of the measures makes it unavoidable to prioritize specific changes: This should involve analyzing which areas carry the most significant risk and where the probability of a data protection breach occurring is highest.
At this point, a GDPR-compliant impact assessment can be performed, providing information about individual activities’ risks. In addition, you should weigh which processing and data collection activities are necessary and valuable and where data volumes can be minimized to reduce the legal risk.
The GDPR requires that only necessary data be collected, processed, and stored – but the less data actually is in circulation, the less work and liability risk for companies.
Internal data protection policy for companies
After successfully implementing data protection measures, it is crucial to establish an internal policy for future reviews to be conducted on an ongoing basis. It is the nature of corporate structures to change with the changing times.
They must be regularly checked and adjusted if necessary to ensure that restructuring or other changes in work processes, organizations, or technical conditions do not lead to data protection breaches or compliance measures being forgotten.
A clear code of conduct or internal checklist is also needed for internal investigations into potential compliance violations to ensure uniform solutions. Suppose you or your employees suspect compliance measures have not been applied or have not been applied correctly. In that case, the incident must be clarified immediately and, if in doubt, sanctions imposed. To avoid breaches, your employees should be preventively sensitized to the topic and receive training regarding data protection compliance and the measures to be followed.
Enable your teams to submit event-related notices, receive assistance, and make suggestions for improvement. This way, you can continuously improve your data protection compliance and create a pleasant working atmosphere.
What is a data privacy compliance system?
The data privacy compliance system combines measures taken for data privacy in the company. In other words, it is about developing a functioning system to implement data privacy legislation effectively.
The system forms the interface between data protection and compliance in your company. This includes many different factors that influence the measures and procedures. Two of the most important factors we explain below.
Technical and organizational measures (TOMs)
Technical and organizational measures (TOMs for short) play a special role in data protection. However, they are also crucial for information security – i.e., the area involving non-personal data (e.g., company internals, company secrets, and technical data).
The goal is also to protect corporate assets. While TOMs in information security are not mandatory but much more implemented out of the company’s interest, the GDPR clearly requires them for data protection (Art. 32 GDPR).
The GDPR requires that certain TOMs with appropriate protection standards are integrated, documented, and monitored to protect personal data in the company. Thus, it is inevitable to choose structured and, if possible, automated TOMs to operate effectively in compliance.
The whistleblowing system
The EU Whistleblowing Directive requires companies with 50 or more employees and the public sector to set up whistleblowing systems. Such a system enables employees to provide personalized or anonymous information about specific grievances or criminal acts within the company. EU member states must enact their national laws to protect whistleblowers.
But even before the legal provisions came into force, a whistleblower system was an important compliance tool. Many listed companies have worked with such systems for years to protect their reputations. As part of the compliance system, whistleblower systems ensure that risks and violations are reported internally and can thus be fought at an early stage.
The keyword in data protection here is – anonymous. Because this compliance strategy only works if the whistleblower’s identity remains secret. It is true that the new Whistleblower Protection Act does not give anonymous whistleblowers priority status. However, relying on anonymity to obtain valuable information without revealing the whistleblower’s identity has proven effective.
Even if the working atmosphere in the company is supposedly good, no one likes to admit to their mistakes, tell off a colleague, or criticize behavior in the executive suite. Accordingly, to implement legal requirements, a system is needed that enables internal solutions without negatively impacting the parties involved (e.g., through sanctions).
Data privacy compliance: Who is responsible?
In principle, everyone in companies is responsible for implementing data protection and compliance in their area. After all, most employees perform tasks that touch on data protection law or have interfaces with it.
However, since the company is liable for violations of data protection law, it is necessary to structure a separate department or compliance team that deals primarily with this subject area. A compliance officer or compliance manager usually acts in a managerial capacity.
Tasks of compliance managers
Compliance managers check compliance with applicable laws, directives, regulations, and other company obligations. They develop compliance management systems and use suitable software tools to support compliance.
In most cases, compliance officers undergo legal training or come from the private sector. It is also essential for compliance managers to undergo further regular training and thus remain up to date about data protection regulations.
Tasks of data privacy officers
On the other hand, data protection officers are responsible for the company’s data protection. They do not necessarily take an operational role but act in an advisory capacity. In addition to analyzing data security in the company, as experts, they make specific recommendations for action or possible improvements and monitor what is happening in the company in terms of data protection law.
Many companies rely on an external data protection officer here, as the neutral external position guarantees their monitoring function. The advantage of external data protection officers is that they do not need to be trained and already have in-depth knowledge of data protection. In contrast to internal data protection officers, who may feel connected to the company, external ones have an objective view of the company.
As mentioned earlier, there is a straightforward interface between data privacy and compliance, which is why data privacy officers and compliance teams always work closely together. In addition to agreements on specific data protection compliance, collaboration can also help to transfer the measures taken here to other areas.
Conclusion
Practice shows that existing compliance management structures often do not meet the legal requirements of the GDPR. However, increasing data processing, especially at the automated level, makes a good data protection compliance strategy unavoidable. Therefore, companies should not regard data protection issues as a problem for tomorrow but should deal with them intensively today to remain fit for the future.
Data privacy compliance is not a costly, bureaucratic burden but a great way to improve trust in the company and protect its reputation. Business owners should be equally aware that violations of data privacy regulations can result in sensitive penalties. After all, data protection is not just about protecting the concerned individuals but also the company from damage to its image and liability risks.