Data protection in the enterprise: What you need to know
The GDPR, which came into force in 2018, still poses challenges for companies within the European Union. Not only is there a need for comprehensive data protection compliance in many companies, but implementing individual regulations also raises many questions in practice.
However, it is a fallacy to believe that violations of the GDPR can be overlooked. Instead, sales-related penalties in the millions are imminent. But how can data protection be implemented in the company? And what obligations do companies have to fulfill? This article will tell you more.
Do you need support or have questions about data protection? Our team consists of experts from the fields of data protection law, IT, and security. We would be happy to support you in a non-binding personal meeting with any open questions you may have about data protection.
The most important facts in brief
- In addition to requirements regarding data protection declarations, data protection officers, handling of employee data, and disclosure obligations, the DSGVO also contains many other legal regulations regarding the organization of data processing.
- Since the introduction of the GDPR in 2018, violations of corporate data protection can cost companies up to 20 million euros in fines or 2-4% of annual turnover. Reason enough to take a closer look at the obligations of the GDPR.
- Although compliance with the data protection rules requires much effort, we should always see it as an opportunity. After all, in addition to avoiding high fines, good data protection can also improve the image, strengthen customer trust and positively influence purchasing decisions. Data protection reviews also lead to process improvements.
Why data privacy is essential for companies
There is no denying that implementing data protection regulations means long-term work. Many companies, therefore, see the requirements of the GDPR as just another burden imposed on them, which means one thing above all: effort. However, the GDPR and its obligations also bring some advantages.
Build trust and secure competitive advantage
We have arrived in an age in which data misuse and hacker attacks have long ceased to be a rarity. Companies that emphasize data security and thus protect their customers and business partners can gain or maintain public trust.
In this way, they can not only retain existing customers and partners but also gain new ones and set themselves apart from competitors. But employees also develop a better sense of risk in their work and handle the data entrusted to them more carefully if they receive sufficient training and information.
Raising awareness of data protection issues
In addition, the GDPR “forces” companies to take another close look at their processes and structures and to rethink them. This reveals where there are risks concerning data protection, which work steps may be outdated and obsolete, and where functions can be simplified.
If you take a close look at all your company’s processes, you can modernize your company and give it a thorough “clean-up” – in other words, make it fit for the future.
View the current change as an opportunity to bring about positive changes in your company, standardize processes, bring everything up to date and drive digitization forward.
What does the GDPR say about data protection in companies?
In 2018, the General Data Protection Regulation (GDPR) came into force, which was intended to introduce uniform regulations within the European Union for data protection in companies and public authorities. The GDPR thus replaced national legal rules and created many innovations.
Data protection primarily means protecting personal data that is not or may not be accessible to the public. Personal data is all information that directly concerns a natural person, i.e., a human being, and reveals facts about them. This includes names, dates of birth, religion, health data, or that person’s connection with a company, whether as a customer, patient, or business partner.
Dealing with this information is always governed by data protection. There is an obligation to collect only the minimum amount of personal data and to prevent access by third parties. Therefore, only the necessary data may be collected in the first instance. Furthermore, this data must be protected so it cannot leak out.
In addition, the persons concerned have the right to determine which of their data they wish to disclose and whether this data may be processed or passed on (so-called informational self-determination).
In plain language: anyone who collects, stores, or processes data in their company must base their data processing on a legal basis and, for example, obtain the consent of the data subjects for the processing. The data subjects may revoke their consent once given at any time.
Data protection and advertising – how do they fit together?
Especially in advertising, many companies are uncertain, as they often address and contact their customers directly via specific channels. In most cases, this also means data processing at the same time.
Even or primarily because the GDPR does not provide for any specific regulations on the topic of advertising measures, we believe it is essential to provide companies with some information:
Protecting legitimate interests
Personal data may only be used to place advertising if there is no overriding interest of the data subject to the contrary, such as informational self-determination.
The fact that companies have a legitimate interest in data processing is presumed- this is important for economic growth. However, they must weigh which personal data is being used in each case and whether the protection of this is to be weighted higher than the advertising measure.
In principle, companies may continue to contact prospective customers and customers with direct advertising. According to the new GDPR, this must only be documented and controlled more strictly. In addition, they must comply with the applicable competition law, which requires prior consent in most cases.
Emails and telephone calls
Nothing has changed here due to the introduction of the GDPR, as telephone or email canvassing is regulated by the Act against Unfair Competition, which stipulates that the recipient’s consent is and remains required for newsletters, telephone calls, or email contact.
Newsletter
For newsletters, the recipient’s consent is always necessary. In addition, companies must already inform at the time of newsletter registration to whom and for what purpose data will be transmitted.
In most cases, it is sufficient to refer to the data protection information that you (must) provide on your website. There must also always be the option to unsubscribe from the newsletter.
Right of objection
Every recipient of advertising has the right to object to the sending of advertising at any time. As soon as the data subject provides their data, in addition to the information that the data will (also) be used for advertising purposes, the right to object must be pointed out.
Technical and organizational measures
According to the GDPR, companies must ensure adequate personal data protection through appropriate technical and organizational measures. This means they must weigh up which procedures and processing operations pose more or fewer risks and how high the level of protection must be.
Technical measures refer to data processing operations as such. These are measures that can be implemented physically, such as the installation of an alarm system or a light barrier.
Organizational measures are the rules and conditions of a data agreement. Here, courses of action should be defined and principles established that tell employees how to implement data protection.
Although the GDPR does not prescribe any courses of action, it does describe data protection goals that companies can use as a guide. However, how to achieve them is at the company’s discretion.
The decisive factor for the choice of measures is the existing risk to data subjects and their data. The riskier the processing and the more sensitive the data, the higher the data protection and security measures must be.
Companies must take measures on the following points:
- Confidentiality
- Encryption
- Integrity
- Pseudonymization
- Availability
- Recovery of data
- Resilience of systems
- Review, assessment, and evaluation
- Instruction of employees
It is not necessary to implement all technical and organizational measures and have them at hand at all times. Instead, it is a toolbox from which you select the appropriate measures and integrate them into your business processes.
Nevertheless, it makes sense to protect data processing with several measures. This way, your company is on the safe side and protects itself from potential incidents that can mean fines in the millions and reputational damage.
Checklist: How to implement technical and organizational measures
-
- Check contracts for GDPR compliance.
- Identify all personal data that you or a service provider process.
- Create a record of processing activity in which you document the measures.
- Analyze the risks of the individual processing of personal data.
- Use a data protection impact assessment if required.
- Take a close look at existing measures and check whether they are adequate. Use state-of-the-art as a guide.
- Assign the existing measures to the new categories (see above) and add any necessary measures.
- Offer training for your employees.
Why do companies need data protection compliance?
Compliance means adherence to all laws and guidelines relevant to companies, national or international. In addition to applicable commercial and corporate standards, this includes criminal and data protection laws.
In EU countries, the GDPR is of particular relevance. In practice, compliance requires taking care of the lawful conduct of the company in all business areas. In this context, whether the issue is labor law requirements in the HR department, billing practices in sales, or cross-departmental matters is initially irrelevant.
On the other hand, data protection compliance means adherence to data protection laws within the company. The central objective is to avoid liability risks and reputational damage by implementing data privacy compliance.
Advancing digitization and modern business processes mean a compliance strategy is only possible by considering the GDPR. An effective management system for data protection compliance is therefore required, which must be continuously monitored and further developed after implementation.
What are the penalties for data protection violations?
Non-compliance can result in sensitive penalties for companies – the relevant supervisory authority can impose up to 2-4% of annual global sales for violations. If such a penalty is set, it usually happens in public. Thus, a sanction may well impact a company’s image and cause customers, employees, and business partners to boycott the company.
To date, around 1,300 fines have been imposed in Germany, totaling 2,099,520,477 euros (as of October 2022). The seven highest fines already account for more than half of the total.
If these violations by Germany’s most prominent companies are factored out, the average fine per company is around 400,000 euros. What’s more, the damage to the company’s image lingers in consumers’ minds for years. Companies should therefore be conscientious when it comes to data protection and work with data protection experts who can provide them with comprehensive advice and support.
Checklist: Data privacy for companies
It is beyond the scope of this article to go into all the obligations of companies. In our knowledge hub, you will find comprehensive articles on individual obligations’ requirements, which explain in detail which steps to take.
In the following, we have compiled a checklist for you, which should clearly illustrate where you can start in your company:
- Data protection officer: many companies must appoint a data protection officer. External and internal data protection officers are responsible for compliance with the GDPR and assume a control function. The advantage of an external data protection officer is that they are already specially trained and professionally experienced.
- Record of processing activities: Keep a record of all processing activities in your company. It must include, among other things, the persons responsible and the purpose of processing the personal data.
- Data protection notices: Data subjects must be informed about data processing. Such data protection notices must be included on every website.
- Confidentiality obligation: all employees must be informed in writing about the confidentiality of personal data and the confidentiality obligations and commit themselves to this.
- AVV contracts: Service providers who process personal data externally must sign an order processing contract.
- Technical and organizational measures: Establish a concept with technical and organizational measures in your company – to keep the risk of data processing as low as possible.
- Employee training: Train the responsible employees comprehensively and regularly on the obligations and ways of working with personal data. Remember to include freelancers and other service providers.
- Emergency plan: Despite all preparation and caution, a data protection mishap can always occur. Develop a concept of what to do in such an unexpected case, how to notify the affected persons, and who will inform the responsible supervisory authority. All of this must be done within 72 hours, which is why it is essential to work out a plan in advance that will automatically take effect in the event of an emergency.
Conclusion
Implementing the regulations contained in the GDPR indeed means much work for companies. However, it should also be recognized that opportunities and benefits can certainly be drawn from the GDPR.
But even if you are still looking for a substantial advantage or sense in data protection, you should pay attention to it. The risks should never be underestimated.
You should therefore take precautions, identify and eliminate risks with tact and take appropriate measures for the best possible data protection. After all, if it’s too late, you could face a fine and, in the worst case, damage to your reputation.