The EU legal framework on data protection has been harmonized with the objective of establishing a high level of data protection, as highly standardized as possible, for the processing of personal data. The new EU General Data Protection Regulation, aimed at improving the protection of personal data, came into force on 25 May 2018.
The introduction of the EU-GDPR requires that all companies review existing data processes and create numerous new processes. In addition, existing models, checklists and contractual documents must be revised. Furthermore, technical and organisational measures must be adapted. Organisations that fail to comply with the new regulation face fines of up to 20 million Euros or 4 percent of their global annual turnover.
Some central aspects of the EU-GDPR have been listed below.
Processing of personal data for clear and legitiate processes only: Generally, personal data must be saved in a form and manner that enables the data subjects to be identified only for as long as this is necessary and for the purposes for which these data are processed. Once they are no longer needed for the purpose for which they were collected, personal data must be deleted. If data subjects withdraw their consent to the use or processing of their personal data, organizations are obliged to delete (‘erase’) the relevant information.
Extended duties of documentation: The GDPR introduces additional obligations for companies, in particular in the field of documentation. While organisations no longer have to maintain a public directory of procedures, the obligation to keep internal records of their processing activities has been maintained and even extended.
Minimising risk: The EU GDPR pursues a risk-based approach, focusing on the “risks for the rights and freedoms of natural persons.” Such risks may arise in case of personal data breaches. Given this, the regulation requires that personal data breaches must be reported to the competent supervisory authority within 72 hours. Organisations should clearly regulate the roles and responsibilities within their data protection organisation and establish and document the processes necessary to mitigate the existing risks.
In certain cases, the EU GDPR requires detailed risk assessment prior to the introduction of data processing. Risk assessment in this context extends from systematic description of the planned activities and purposes of the processing of personal data to documentation of the actions planned to mitigate the risks and ensure the protection of personal data.
TÜV SÜD recommends that organisations identify processes falling under the scope of the GDPR, and that they conduct initial checks by aligning existing processes with the new requirements. As the EU GDPR has already come into effect, it is high time to complete the implementation of compliant processes and systems.
A leading expert on regulatory frameworks and process optimisation, TÜV SÜD supports businesses in the process of becoming EU-GDPR compliant. Contact us today to learn more about our services.