Is your data processing operation compatible with the new GDPR?
The Current Situation
Be it information regarding employees, customers or potential business partners, personal data is a necessity for doing business. Not only is it used in contacting, making offers or entering into business agreements, but it can also be statistically processed to serve as a basis for important management decisions. In fact, many companies save comprehensive personal data over a long period of time to ensure that it is available for future uses – e.g., for introducing a new product, informing about new fees or prices, or to expand the product range. The EU’s new General Data Protection Regulation (GDPR) will place significant limitations on the way personal data is processed.
The General Data Protection Regulation
On May 25, 2018, the new European-wide data protection regulation takes effect. Instead of the requirement to notify a data protection authority, companies will bear responsibility. In general, it will only be permitted to process personal data for the respective specified purpose. To ensure that this is the case, companies must maintain a written record of data processing activities and carry out impact assessments for potential data breaches, as well as comply with the comprehensive obligation to keep data subjects informed. In addition, significant penalties will apply in the event of data breaches. The website of the Austrian Federal Economic Chamber offers additional information.
There are many unresolved questions: How should the obligation to inform be implemented to comply with Art. 13? Data must be deleted on demand – does this also apply to backups? Is it permissible to send emails showing the addresses of all recipients? Which employees may be granted access to CRM data? What constitutes a reportable data breach? And finally: What documentation is required and what technological measures must be implemented with respect to data protection?
Companies face three key challenges under the new regulation:
- Clarifying the legal issues: Like any comprehensive piece of legislation, there is a certain amount of leeway when it comes to interpreting the requirements – i.e., what is reasonable for the specific situation? What constitutes a legitimate interest? Such questions are usually resolved at the highest court level, which means expert legal advice will be required.
- Data processing: In what form and structure should data be processed? What sort of authorization systems need to be implemented? How can the duty of disclosure and obligation to delete data be met at all times? How can data be anonymized in conformity with the law? Here, IT experts will be needed.
- Defining the processes and creating a handbook: How will competences and responsibilities be determined? How will authorization systems be implemented? What workflows must be defined: e.g., when data is processed for statistical purposes or when a request to delete data is received? Here, process managers will be needed.
As a company focusing on software integration, we support clients in the following ways:
- Evaluating the status quo and defining the necessary adaptation measures. The results also serve as a basis for legal clarifications.
- Determining the required processes and processing steps. Based on the client’s use cases, we help define the necessary processes and authorizations – from data acquisition and processing through to deletion, including anonymization for statistical purposes or the reporting of data protection breaches.
- Creating a register of processing operations and handbook to help companies meet their compliance obligation
- Training key personnel
- Testing and analysis in support of adequate implementation of the register of processing operations.
Why you should act now
Speed is of essence to implement the GDPR. At the same time, many experts agree that implementation should not be left to the IT department alone, for it affects the entire company. We recommend you take advantage of expert know-how from the outside, such as that offered by the Austrian Federal Economic Chamber and lawyers familiar with the issue.
When it comes to analyzing your operations, defining the necessary processes and testing implementation, OBJENTIS is your competent partner!