Ensuring that companies are secure from a data protection point of view is no longer a voluntary requirement; it is a mandatory duty. For many companies, however, comprehensive data protection management is not yet self-evident. We explain what needs to be considered.
The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. Since then, at the latest, the topic of data protection has arrived in all industries. But what are the main features of comprehensive data protection management? Here is an overview of the most important cornerstones of a complete data protection set-up:
Website
Many companies see their website as a flagship. Unfortunately, basic data protection settings are often lacking here. It is important that you keep an eye on the current legal situation and react accordingly. The best example of this is the issue with cookies. Cookie consent is necessary for websites that track user data via cookies. Although all cookie banners are required to include the function of a ‘reject-all-cookies’ button, there are still countless website operators who are not yet aware of this requirement. Other requirements, such as that the privacy policy should be accessible by just one click, or that contact forms must be sufficiently encrypted, are not yet in every operator’s repertoire of knowledge. Those who find it too tedious to take care of this themselves should have it done by a trained agency or work with a data protection officer who knows the case law and requirements of the GDPR. In any case, both of those options are a good investment – failure to comply with the requirements can result in warnings and, in the worst case, fines.
Data protection officer
A data protection officer, or DPO for short, is mandatory for German companies with more than 20 employees who are constantly involved in the automated processing of personal data. It is important to note that f trainees, part-time employees, temporary workers etc. also count towards those 20 employees. There are also other cases in which a DPO must be appointed in Germany:
– the processing is carried out by a public authority or body;
– the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale;
– the core activities of the controller or the processor consist of processing on a large scale of special categories of data (Article 9 (1) GDPR) or personal data relating to criminal convictions and offences (Article 10 GDPR);
– the controller or processor carries out processing operations that are subject to a data protection impact assessment;
– personal data is processed on a business basis for the purpose of transfer, anonymized transfer or for a market or opinion research purpose.
If no DPO is appointed, you may risk receiving a warning or a fine. Regardless of these risks, it still makes sense to have a data protection officer within the company: Not only does he or she help to check the current status of data protection, the DPO also closes existing gaps and handles ongoing data protection requirements, such as data subject inquiries. Since data protection is a broad and very dynamic area of law that can change quickly, getting the help of an expert is definitely recommended.
Digital data privacy management
Say goodbye to Excel lists and ring binders – functional data protection management is digital today – and that is a good thing! The bigger the variety of programs and systems used in a company is, the more difficult it becomes to manage them from a data protection perspective. A classic example is a deletion request from a data subject. With digital data protection management, it is quick and easy to find out in which systems the relevant personal data has been processed, so the request can be complied with within the required time limit.
You can decide whether you prefer semi-automated or fully automated software solutions. A fully automated data protection software solution, such as Proliance 360, can not only independently identify gaps in data protection management, it also supports the data protection officer with concrete templates, samples and instructions on how to take action.
Train employees
One of the most important points in comprehensive internal data protection management are educated employees. While it is mandatory to train your employees in data protection, another matter is to actually get them to understand the value of a functioning corporate data protection system. Due to COVID-19, a lot of employees are either required, or must choose to work from home.
This calls for new digital training which can not only be conducted from home, but also addresses how to work in the home office securely. Educated employees act with more foresight, are less likely to make far-reaching mistakes and thus actively help to set up a company securely in terms of data protection. After all, the protection of data within a company can only be as good as the training that its employees received.
Last but not least, it is also important to react to current events, because – although it is not necessarily obvious – they can also have a massive impact on a company’s data protection set-up. The corona virus has forced many companies into remote work – including many teams that previously had little or no experience with it. The widespread home office has brought many new privacy questions to our attention that may not have been addressed before: Is it regulated whether private devices can be used for work purposes?
Is encryption sufficient for electronic data transmissions from the home office? Do all employees know that they should only be using secure wi-fi connections? Questions like these can be clarified in a privacy policy specifically for work at the home office. If you take initiative and train your employees on data protection issues right from the start, you will be ahead of the game and prepared for unforeseen events such as a closed walk into the home office.
