Compliance management in light of the EU General Data Protection Regulation
June 2018 | EXPERT BRIEFING | DATA PRIVACY
From 25 May 2018, the EU General Data Protection Regulation (GDPR) will replace the national data protection law in force until then. As a consequence, private companies (as well as public authorities) will have to comply with comprehensive new legal requirements on the processing of personal data. Therefore, they are now faced with the task of implementing appropriate data protection measures.
More efficient processing of personal data calls for more enhanced protection measures
The GDPR represents a reaction to far-reaching transitions that came along with information-technological progress in the field of data processing. The latest developments allow private companies and public authorities to make use of personal data on an unprecedented scale, which, on the other hand, calls for more enhanced protection measures. For this reason, the GDPR not only provides for very detailed legal requirements in the context of data processing, but also imposes strict penalties in the event of a violation. Fines can reach up to €20m or 4 percent of the company’s total worldwide annual turnover of the preceding financial year, whichever is higher. Therefore, non-compliance provides for a much higher financial risk than previously.
As an EU regulation, the GDPR applies directly in the EU Member States and has priority over diverging national regulations. However, it allows for complementary acts by Member States. The respective complementary act in Germany is the revised version of the ‘Bundesdatenschutzgesetz’ (BDSG). The BDSG provides for more specific provisions regarding the protection of employees’ personal data in the employment context. Like the GDPR, the revised version of the BDSG will apply from 25 May 2018.
Central principles relating to the processing of personal data
The GDPR will apply to all processing of personal data under the territorial scope of the GDPR – which is not limited to companies based in the EU. At its core, the GDPR imposes a series of central principles for the processing of personal data. These principles are “lawfulness, fairness and transparency”, “purpose limitation”, “data minimization”, “accuracy”, “storage limitation” and “integrity and confidentiality”. Beyond that, the controller of personal data must be able to demonstrate compliance with the mentioned central principles, the so-called “accountability”.
The aforementioned principles are further specified and complemented by accompanying provisions. First of all, the principle of lawfulness is further specified by Article 6 of the GDPR, according to which the processing of personal data is lawful only if and to the extent that one of the permissions listed there applies. To shed a special light on the area of internal investigations, in the context of internal investigations, the most important permission states that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Furthermore, the principle of transparency is complemented by the information rights provided for in the GDPR, according to which the controller of personal data is generally obliged to inform the so-called data subject – the natural person, whose personal data are concerned – that his personal data had been obtained. In addition, he is obliged to grant access to said personal data. The principle of storage limitation, on the other hand, is complemented by the so-called right to erasure (“right to be forgotten”). According to the GDPR, the controller of personal data is obliged to erase the personal data without undue delay when they are no longer necessary in relation to the purposes for which they were collected. This requires definition and development of appropriate erasure-concepts.
Finally, it should be mentioned that, in the context of internal investigations, where processing personal data can typically result in a high risk to the rights of natural persons, the processing will usually require the company to carry out a so-called data protection impact assessment.
In order to meet the requirements of the GDPR, affected companies must develop and implement appropriate organisational concepts. A standalone data protection management system will not be necessary, however. An effective data protection management system can be integrated into an already existing compliance management system (CMS) by way of adjustment. In view of the aforementioned financial penalties in the case of non-compliance, a new risk assessment will be necessary here. Therefore, the company’s data protection and compliance functions will have to converge more closely than before. Internal investigations, which are intended to prevent compliance violations, can actually become compliance violations themselves, if the data protection regulations are not met. It will therefore generally be advisable to establish a common responsibility for data protection and compliance.
Additionally, the GDPR demands appointment of a so-called data protection officer. The data protection officer must be involved, properly and in a timely manner, in all issues which relate to the protection of personal data. He or she must be free from instructions and shall directly report to the highest management level. Furthermore – and to comply with the principle of confidentiality – companies are obliged to implement technical and organisational measures to ensure an appropriate level of data security. In terms of documentation, companies are required to maintain a record of their processing activities in writing, including electronic form. Compliance with these requirements can be ensured by appropriately adjusting an already existing CMS.
From 25 May 2018, companies will have to comply with new legal requirements on the processing of personal data. At its core, the GDPR contains a series of central principles relating to the processing of personal data as well as further complementary provisions. The GDPR forces affected companies to implement effective organisational structures in order to meet its requirements. It is generally advisable to integrate an effective data protection management system into an already existing CMS.
Professor Dr Jochem Reichert is a partner and Thomas Glaser is a lawyer at Schilling, Zutt & Anschütz Rechtsanwaltsgesellschaft mbH. Professor Reichert can be contacted on +49 621 4257 229 or by email: firstname.lastname@example.org. Mr Glaser can be contacted on +49 621 4257 229 or by email: email@example.com.
© Financier Worldwide
Professor Dr Jochem Reichert and Thomas Glaser
Schilling, Zutt & Anschütz Rechtsanwaltsgesellschaft mbH