Data protection management system: What companies should know

Data protection is more and more an essential part of every company’s organization because national and international laws such as the GDPR are placing increasingly far-reaching requirements on companies. Our data protection management system helps to meet these requirements while working highly efficiently and digitally.

But how does a data protection management system work? And can a data protection management system be successfully integrated into a company and its processes? – This article will tell you more.

The most important facts in brief

• Anyone who processes personal data must ensure data protection per the GDPR. Usually, this is done via a data protection management system.
• Data protection concepts should provide information on how data protection is implemented in the company. In this context, the company or other responsible bodies can develop appropriate measures and systems individually.
• There is no explicit legal obligation to use a data protection management system. However, given the abundance of legal requirements for data protection, companies have no choice but to implement a comprehensive management system.

Definition: Data protection management system

A data protection management system (abbreviated to DPMS) is an organizational tool that combines the legal and operational requirements for data protection and systematically organizes, manages, and controls them, thus ensuring compliance with data protection regulations.

Caution: Since the data protection management system is sometimes abbreviated to DMS, there is a high risk of confusion with the term document management system, whose abbreviation is also DMS. Although the data protection management system also includes the organization of documents, the DPMS is much more far-reaching and contains significantly more functions than the DMS. Therefore, a clear distinction and differentiation in content is absolutely required here.

A data protection management system should help create a clear structure within the company while simultaneously keeping the risk of violating a legal regulation as low as possible. The system thus supports the implementation of data protection utilizing organizational measures.

Responsibles for data protection – usually the managing directors – are obliged to cooperate with the competent supervisory authority at its request and provide it with all the information required for its work. Accordingly, those responsible must ensure that the authorities can quickly inform themselves about the company’s compliance with data protection.

For this reason, the data protection management system should be integrated into the business processes so that data protection is integrated into the corporate structure in a long-term, traceable and verifiable manner.

GDPR and data protection management

A data protection management system is not explicitly mentioned within the GDPR. However, it can be deduced from provisions.

Companies must basically fulfill their documentation obligations, accountability obligations, and, if applicable, requirements for processing agreements. From a legal point of view, these overriding obligations include many requirements for their implementation. This makes it almost impossible for companies to do without a data protection management system.

The function of a data protection management system is not least to identify and eliminate data privacy problems and risk factors to protect personal data. Learning from mistakes and optimizing them within procedures, policies, and automated processes is also an essential part of a DPMS. Therefore, it is necessary to integrate a data protection management system into the company’s procedures for efficiency reasons.

In this context, data protection management is characterized by the legal requirements of the GDPR, which cover the following processes in particular:

• Documentation of data processing
• The agreement, management, and documentation of commissioned processing activities
• Monitoring of technical and organizational measures
• Authorization concepts
• Deletion concepts
• Implementation of data protection impact assessment
• Handling of data protection incidents
• Communication with data subjects

A sensible data protection management system considers these corporate processes and legal regulations that the GDPR imposes on companies. However, the DPMS is only functional if all company departments cooperate and work together effectively. Our professional system works with agile task controls that recognize and automatically create such links.

By implementing the data protection management software, the legal requirements of data protection can be systematically organized. A certified data protection officer usually performs the tasks associated with the software. This person is entrusted with monitoring the data protection-compliant implementation of all legal requirements.

For example, if data protection is outsourced to an external data protection officer or a data protection advisory, the officer deals with implementation, evaluation, and documentation within the corresponding software. In any case, however, the responsibility lies with the company’s management, which is responsible for legally complying with processing personal data.

Good to know: To distribute complex tasks well and relieve the data protection officer, it can be helpful if the software can perform specific tasks intelligently or at least delegate them.

Structure of the data protection management system

The data protection management system consists of various components and processes that vary depending on the company and industry. We have compiled a list of the factors that can be included:

Process analysis of data processing

Your company should first analyze and classify all risky processes. Only then can the data protection management system draw up an agenda for implementing measures. This agenda explicitly shows which data protection requirements should be prioritized and how they can be categorized.

The implementation of the data protection agenda and its contents then begins. This kind of to-do list always shows, at any point in time, which data protection tasks still need to be implemented and which topics are already being addressed.

Records of processing activities

All processing activities must be recorded and listed to identify and filter all processes and risks. This requires a comprehensive register of processing activities, which is also provided for in Art. 30 of the GDPR. According to this, the processing of personal data must also be described in detail.

Technical and organizational measures

In addition to the processing activities, the implementation of technical and organizational measures (TOM) should also be compiled in an overview (Art. 32 GDPR). For the GDPR, this documentation plays an essential role, as it provides information about the security of the company’s data. Companies are therefore obliged to document their TOM. Complete and detailed documentation provides evidence that appropriate measures are taken.

Control of processing agreements

More and more companies are using external parties or companies to process data on their behalf, which is permitted under data protection law and explicitly mentioned in Art. 28 GDPR. However, a data processing agreement (DPA) is also a legal requirement.

In practice, more and more companies are using such processors to save human and economic resources. However, even when processing is outsourced, the companies must monitor and ensure that data processing complies with the applicable laws.

Processors are bound by instructions in this respect and act as helpers for whom the principals are liable. Therefore, integrating their activities into data protection management is essential.

Retention or deletion concepts

Specific statutory retention periods apply to companies, for example, for invoices. Sections 238, 257, and 261 of the German Commercial Code (HGB) are particularly relevant for merchants. The GDPR also contains regulations on the retention of personal data. It provides that personal data may only be stored for as long as there is a legal basis for doing so (Art. 5 in conjunction with Art. 6 GDPR).

This means that personal data may not be kept beyond the time limits of the German Commercial Code or other laws without good reason. The Priverion data protection platform considers this; it automatically detects and reports when the relevant deadlines have been exceeded. In addition, a deletion concept should take effect when the deadline has passed.

Contingency plans

As with all business processes, data protection mishaps and errors can occur. Regardless of whether these are human or software-related, a data protection management system should always respond immediately and have an appropriate concept ready for how such data protection mishaps can be minimized and resolved. This keeps the resulting damage as low as possible.

Data protection guidelines

In medium-sized companies, all employees must have access to the applicable data protection guidelines at all times. The company’s management should, therefore, first summarize the operational and legal data protection regulations into a separate data protection notice and then make this available to all employees.

In addition, employees should be regularly informed about the regulations and trained accordingly, for example, by certified data protection officers or external instructors. Important documents in this context are, for example, the “Commitment to Data Secrecy” or the “IT Usage Agreement.”

Data subject rights

The GDPR grants comprehensive rights to data subjects (Art. 12-23 GDPR). Relevant for companies is, for example, the right to information or the right to delete their data. To grant a data subject their rights, companies need a concept for how inquiries are processed or how data subjects can be contacted in an emergency. For this purpose, processes should be defined in the DPMS for dealing with data subjects.

Conducting and evaluating data protection impact assessments

The data protection impact assessment is a procedure similar to the prior checking procedure in the German Federal Data Protection Act (BDSG). It is an instrument for risk assessment of individual processing operations.

Before such processes are used, an assessment should take place, and an analysis should be made of what risk the individual process poses and what can be improved if the risk is high. This is intended to prevent data protection mishaps and protect data subjects.

Control and data protection audits

All personal data processes should be documented in the DSMS and continuously monitored to fulfill the company’s accountability obligations. Data protection audits ensure that relevant procedures are reviewed and analyzed regularly.

Employees should also be informed about and sensitized on essential issues. These checks and data protection audits should then be recorded and stored in the DSMS so that they are not forgotten, and proof of the audit can be provided later.

Status inquiry

In addition to data privacy audits, it can be helpful to hold status discussions with the responsible employees in the company and external data protection officers at regular intervals. This is intended to determine the status quo regarding data protection law. The DPMS should be used to document and securely store the minutes of the discussions.

Employee training

Under the GDPR, companies and public authorities are responsible for data protection compliance and may also be liable for it. Since a company, as such, cannot comply with data protection itself, individual employees are responsible for implementing it accordingly.

They must be regularly trained and informed to always be up to date and know all legal and operational regulations. There are various ways of doing this, such as online training, newsletters, circulars, or workshops. These pieces of training should take place regularly and are part of a data protection management system.

Create an effective data protection management concept

To comply with all the regulations of the GDPR, companies must develop a suitable data protection management system. For this purpose, there is ready-made data protection management software such as that from Priverion.

Alternatively, you can develop your own concept tailored precisely to your company’s needs. Choosing a procedure that constantly checks and documents compliance with data protection principles is best.

With our software, you are on the safe side because it is constantly adapted to the new laws and jurisdictions. In addition, you enjoy the advantages of digital processes here (e.g., IT security, cross-device access, automated deadline management).

The goal should be to guarantee sufficient protection and security, avoid breaches, ensure rapid data recovery in the event of an incident, and minimize the risk of a data protection mishap. If you want to develop your own data protection management concept, you should proceed in the following steps:

1. name and document data protection goals.
2. create an inventory (question the current status).
3. drive implementation forward (appoint responsible employees, delegate tasks, provide training, appoint company data protection officer, create new documents, establish data protection rules, implement data subject rights, etc.).
4. integrate audits (monitoring and software, suppliers, and employees controls).
5. make improvements (eliminate or minimize errors and risks identified during reviews).
6. re-examine relevant processes and the status quo (follow up with improvements as a continuous cycle).

Sample of a data protection management system

There is no “right” model for a data protection management system because a sustainable and productive system is always individually tailored to your company’s needs. Many companies work with a software-based system that uses artificial intelligence or other automation to detect errors and automatically control and improve them.

Alternatively, companies can also organize data protection analogously with the help of people. To do so, they must first determine all tasks and discuss procedures before assigning them to individual employees.

In larger companies, however, it is advisable to use software that can cope with the many data protection requirements. Otherwise, the implementation and distribution of tasks can quickly become confusing. In addition, employees must also be entrusted with data protection tasks. The software should never be used alone for data protection; instead, it is a matter of an interplay between digital and analog fulfillment of data protection obligations.

Conclusion

The growing number of data protection regulations makes it almost impossible for companies to get by without a data protection management system. Creating such a system involves much work and can be adapted individually to the company and its activity or industry.

Even if data protection is not usually the core of entrepreneurial activity, it should not be neglected in the company. Instead, all employees should be involved in developing an effective data management system. In any case, merely putting a data protection management system into operation does not protect against fines (for example, in the case of unlawful processing, Art. 77-84 GDPR).

Companies that are well positioned to fulfill their data protection obligations and document and structure their processes are on safe ground. A good concept prevents breaches of obligations, and a sound data protection management system is also considered when assessing fines.