08 January 2018
Public discussion has been ruled by data protection and data security lately. Despite this, there is great uncertainty in public authorities and companies regarding implementation of the GDPR, for which there are two reasons: For one, the legal situation is convoluted and in many cases unclear still. For another, it is technological progress that causes this constant need for new solutions. The possibilities of handling and misusing personal data are changing faster than legislators can regulate them. The E.U. General Data Protection Regulation (GDPR) is intended to guarantee security for the long term by developing binding, up-to-date rules and processes to protect personal data comprehensively.
However, the new regulation is also causing uncertainty. There are issues that need to be resolved:
WHAT is changing and WHEN will the changes take effect?
WHO will be affected by the changes?
HOW can we prepare for it? WHAT risks require special attention?
A primer of special GDPR terms
The GDPR stipulates that only data of natural persons that is necessary for the purpose of data collection may be collected and stored. For this reason, it is not a problem if you ask the customer for a preferred salutation. This information is required in all correspondence. However, questions regarding income, driver’s license, and marital status would be problematic in many cases, like when the purpose of processing data is merely for a newsletter subscription. For this reason, many companies need to review their forms and adapt them to the new requirements, if necessary, for GDPR compliance.
Duty of disclosure
Anyone who stores data on a (natural) person is obliged to provide this person with information on what data is available about him/her on request (pursuant to Art. 15). The answer must be complete. Penalties may apply if specific details are missing. Even if data is passed on to partners or service providers (‘contract data processors’), you need to keep exact records on this data in order to be able to provide information if necessary.
Right to be forgotten (right to erasure)
The GDPR includes a ‘right to erasure’ of your data (pursuant to Art. 17). Upon request, person data must be completely deleted from the data carriers of a data processing company. Care must be taken to ensure completeness here, too. If the IT infrastructure still contains personal data of the data subject(s) despite their express will to the contrary, legislator are also threatening with penalties here.
Obligation to report data loss
In the event of a worst-case scenario and customer data is lost through hacking or other means, companies are obliged to report this breach to the data protection authority within 72 hours (pursuant to Art. 33) and to inform the affected customers immediately if “a high risk to the rights and freedoms of natural persons [is likely to result]” (pursuant to Art. 34).
How do the GDPR and enaio®, the ECM system from OPTIMAL SYSTEMS, work together?
The basic functionality of an ECM/EIM system can be described as the central management of information in order to maintain a better overview than all competitors. enaio® from OPTIMAL SYSTEMS is particularly well prepared for GDPR-relevant processes: Lists of processes and workflows relevant to data protection can be compiled with just a few clicks, which means that all obligations regarding documentation and information are fulfilled in a single process step and data protection audits become a formality for auditors and audited persons. The publicly appointed and sworn expert Norbert Vogel, an independent, external data protection officer of OPTIMAL SYSTEMS with an IT degree, confirms that the processing of this data conforms to the GDPR when the legal regulations are stored in enaio®, the ECM system.