Site Selector

EU General Data Protection Regulation - Making companies ship-shape for data protection


The European General Data Protection Regulation is to enter into force on 25 May 2018. Dr. Christian Lenz is attorney at law at dhpg and works as an external data protection officer. In this capacity, he provides enterprises comprehensive advice on issues that will soon become relevant so that they can take the right action at the right time. He works closely with experts from the areas of risk management, compliance and IT security. In an interview he answered the following questions:

Why has this new regulation been issued? What was the underlying reason?

In spite of the fact that a European Data Protection Directive already exists, from a legal perspective the data protection realm has resembled more of a patchwork quilt thus far. The European General Data Protection Regulation has now created a uniformly high level of data protection in the European Union. It is binding on all Member States of the European Union. In other words, all countries in the EU have to implement the wide-ranging measures contained in it. This is a welcome development. In addition to a harmonised framework, law governing data protection will be better able to cope with future developments. This is aptly demonstrated by the openness of the Regulation to future technological and economic progress. At the same time, it takes into account the fact that the free flow of goods, capital and services requires unimpeded data exchange - and all this on the basis of a uniform, high level of data protection.

Germany is considered to be the country with the strictest data protection requirements. Why do we nevertheless need to take action and which actors are affected?

For years now Germany has been considered to be a pioneer in the area of data protection and has been able to have many of its ideas and systems incorporated in the new Regulation. In the past, national data protection officers, who were not equipped with adequate human resources, were only to take action if specific complaints were filed or in the case of flagrant violations, however. In the future, on the other hand, companies now have to document and provide evidence that their operations conform to data protection requirements. Those companies that have already established appropriate data protection structures of course have a head start. Companies that have tended to assign data protection to the back seat thus far need to rethink things and put this topic on their agenda. There is a need for action at all companies, however. In the future, they may face significant fines - for example if they fail to meet documentation obligations. This ratchets up liability risks if data protection rules are violated - not only for enterprises, but also for individual managing directors and data protection officers.

Where do companies need to focus their attention now? From a practical perspective, what are the most important aspects?

Meeting the plethora of detailed obligations poses a real challenge that need to be addressed in a step-by-step manner using checklists. It is of paramount importance that the future significance of data protection be recognised and addressed strategically and operatively. We advise our clients to develop a compliance structure to protect personal data that lays down appropriate principles and measures, but also the organisation structure needed to ensure adherence to data protection requirements. This translates into a need to reflect over many processes already in practice at enterprises. This effort will of course have to be scaled properly in a pragmatic way that is in line with the size of the company, especially in the case of SMEs. The Regulation stipulates that companies are to carry out an assessment of risks and possible consequences for all critical data-processing that they perform. This will make data protection an integral part of risk management. All the practical tasks that need to be tackled automatically emanate from this.

What will happen if my company does not do anything?

The European General Data Protection Regulation provides for steep fines of up to € 20 million or up to 4% of a company's global sales. Fines have deliberately been set at such high levels to ensure that they are effective, proportionate and have a deterrent effect. The latter demonstrates the political will to bring about a certain minimum data protection level no matter what. Similarly to the situation in the field of anti-corruption law, governing institutions of enterprises will face individual damage claims from their companies in the event of fines being imposed. For this reason, especially third-party managing directors are well advised to redouble compliance efforts like the ones described above in the area of data protection. Independently of this, it is common practice nowadays to manage personal data flows between contractual partners on a sound, proper footing. Otherwise such contractual relationships do not come about in the first place.

Why should companies devote their attention and resources to the Regulation already now?

25 May 2018 is not all that far off when one considers the time required to implement such change projects. You should keep in mind that under some circumstances the entire data protection structure may have to be elevated to a higher level. This requires adequate preparation time.

Where are the advantage of an external data protection officer to be found in this connection?

A company that employs ten or more staff members and has them collect or use automated processing of personal data in the course of business still has to appoint a data protection officer. The alternative to selecting someone internally at the company is to assign this task to an external data protection officer. He or she provides advice on all issues relating to data protection, keeps the company up to date and trains the employees. Another argument in favour of an external data protection officer is that a trained expert closes open gaps in "data protection". This is the best conceivable alternative for many small and medium-scale enterprises.

Thank you.