Data protection in companies – more than just a side project

Data protection and its importance for companies

Data protection affects private individuals and organizations alike. It regulates and protects individuals from uncontrolled and unlawful processing of their personal data. On the other hand, this poses considerable challenges for companies.

However, the problem is homemade. For many years, personal data has been handled carelessly and arbitrarily and has often been used, stored or passed on unlawfully.

The countless cases of data misuse and unauthorized data processing that have accumulated over many years have forced the EU's data protection authorities to take action, leading to the introduction of the strict EU General Data Protection Regulation.

EU GDPR - the regulation that changed everything

The EU General Data Protection Regulation (GDPR), which came into full force in the EU on May 25, 2018, is a comprehensive regulation for the protection of personal data in the European Union. It strengthens the rights of individuals with regard to their data and sets out strict requirements for the processing of personal data by companies and organizations.

In addition to the principles for the processing of personal data (Article 5), Articles 15 - 21 are particularly important for organizations. They regulate the rights of data subjects, such as the right to information, the correction and deletion of data, the requirement for clear and explicit consent to data processing and the obligation to report data breaches within 72 hours.

These rights meant significant changes for companies: They had to make extensive adjustments to their data protection practices, including the implementation of new data processing processes, the appointment of data protection officers and the introduction of technical and organizational data security measures.

These measures led to an increased awareness of data protection issues and a higher level of transparency and accountability in the handling of personal data in organizations.

What are the consequences of non-compliance with the GDPR?

Failure to comply with the General Data Protection Regulation (GDPR) can have significant legal, financial and reputational consequences for companies. Here are some examples:

1. Fines: The GDPR provides for severe fines, which can amount to up to €20 million or up to 4% of the global annual turnover of the previous financial year, depending on the infringement. A well-known example is the fine of 50 million euros imposed on Google by the French data protection authority CNIL in 2019 for violating the transparency and information obligations of the GDPR.
2. Legal action and claims for damages: Individuals or groups whose data protection rights have been violated can claim damages. Companies may also be faced with lawsuits, which can lead to additional costs, both in the form of financial compensation and legal costs.
3. Loss of reputation: Data breaches can significantly damage the trust of customers and other stakeholders in the company. This can have a long-term impact on brand reputation and customer trust. One example is the case of Facebook and Cambridge Analytica, which led to a severe loss of trust and significant reputational damage.
4. Orders and regulatory measures: Data protection authorities can issue orders that force the company to comply with the GDPR. This may require the introduction of new data protection policies and practices, which are associated with costs and administrative effort.
5. Operational restrictions: In serious cases, a data breach may result in the company having to stop or restrict certain data processing activities until compliance with the GDPR is ensured. This can lead to production interruptions or other operational problems.

Companies draw mixed conclusions

Almost six years after the introduction of the EU GDPR, many companies are drawing mixed conclusions. While data protection leads to considerable challenges in practice, it also has positive effects.

According to a survey conducted by the digital association Bitkom at the end of 2023, many companies see the GDPR as an obstacle to innovation and competitiveness. High administrative requirements and legal uncertainty in the interpretation of the rules make implementation more difficult.

At the same time, however, the GDPR has also led to an increased awareness of the protection of personal data and greater data security. This strengthens customer trust and creates competitive advantages in international business (source: bitkom.de).

The role of the data protection security officer

A data protection security officer (DPO) plays a central role in organizations by ensuring that all data protection regulations are complied with. The DPO can be appointed internally from the ranks of employees or externally as a service provider. Their tasks include monitoring compliance with data protection laws, training and raising awareness among employees, carrying out data protection impact assessments and cooperating with supervisory authorities.

The role of the DPO is not an easy one. He or she must constantly keep the relevant knowledge up to date due to changing legal frameworks and technological developments. At the same time, the role of the data protection officer is accompanied by the expectation that data protection risks are reliably identified and assessed and that suitable protective measures are implemented. In addition, the data protection officer must ensure that data protection breaches are reported and dealt with effectively in order to avoid potential legal and financial consequences for companies.

Is the appointment of a DPO mandatory for companies?

A data protection officer is mandatory for companies in the European Union under certain conditions. These obligations are set out in the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). A data protection officer is required if:

Public bodies and authorities: Every public body or authority (with the exception of courts acting in their judicial capacity) must appoint a data protection officer.

Core activities of the company:

• If the company's core activity consists of carrying out processing operations that require regular and systematic monitoring of data subjects on a large scale.
• If the company's core activity consists of the processing of special categories of data on a large scale in accordance with Article 9 or of personal data relating to criminal convictions and offenses in accordance with Article 10.

Company size:

• A data protection officer is required under Article 38 BDSG if a company regularly and systematically processes personal data of at least 20 people. However, this number can vary depending on national legislation.

It is important to note that even if a company is not obliged to appoint a data protection officer, it may still be useful to have one to ensure compliance with the GDPR and the protection of data.

What does "data protection management" mean for companies?

Data protection management is the systematic planning, implementation and monitoring of measures aimed at protecting personal data within a company and meeting the legal requirements for data protection. This comprises several components:

1. Policies and procedures: Development and implementation of data protection policies and procedures that regulate the handling of personal data and ensure that all legal requirements are met.
2. Data security measures: Technical and organizational measures to protect data from unauthorized access, misuse, loss or destruction. These include measures such as encryption, access controls and regular security checks.
3. Employee training: Regular training and awareness-raising for employees with regard to data protection regulations and the secure handling of personal data.
4. Data protection officer: Appointment of a data protection officer who monitors compliance with data protection regulations and acts as a point of contact for data protection issues within the company and with supervisory authorities.
5. Documentation and verification: Documentation of all processes and decisions relevant to data protection in order to be able to prove compliance with data protection regulations. This includes keeping a register of processing activities and carrying out data protection impact assessments.
6. Review and adaptation: Regular review of data protection measures and adaptation to new legal requirements or technical developments.

Effective data protection management not only helps companies to minimize legal risks and avoid fines, but also helps to strengthen the trust of customers, partners and employees and protect the organization's reputation.

How does software support data protection management?

Data protection software provides a structured framework for implementing the requirements of the EU GDPR. It makes it easier for data protection officers to document data protection within a company.

Data classification and inventory: The software helps to identify and classify personal data and create a comprehensive directory of processing activities. This is essential in order to have an overview of all stored data and to ensure that processing is transparent and traceable.

Consent and rights management: It facilitates the management of data subjects' consents and supports the fulfillment of data subjects' rights, such as the right of access, rectification, erasure and data portability. This is particularly important as the GDPR sets strict requirements for consent and the processing of data subject requests.

Risk assessment and data protection impact assessment (DPIA): Data protection management software can assess risks associated with the processing of personal data and perform automated or guided data protection impact assessments. This helps to identify potential data breaches at an early stage and take appropriate measures to minimize risks.

Documentation and verification: The software supports the complete documentation of all data protection-relevant processes and measures. This is important in order to be able to prove compliance with the GDPR in the event of audits by supervisory authorities or in the event of data protection incidents.

Reporting data breaches: In the event of a data protection breach, the software supports the timely reporting to supervisory authorities and data subjects by providing standardized processes and templates. This helps to meet the legal requirements within the specified 72-hour period.

Data security with an ISMS

An information security management system (ISMS) is an essential tool for ensuring data security in the context of data protection. It provides a systematic approach to protecting the confidentiality, integrity and availability of personal data while meeting the requirements of the GDPR.

The ISMS includes policies, procedures and controls aimed at identifying, assessing and managing risks. Through regular audits and continuous improvement processes, an ISMS ensures that data security measures are always up-to-date and effective. It also promotes employee awareness and training in the handling of personal data, which helps to minimize security incidents. Overall, an ISMS creates a robust foundation for the protection of sensitive data and strengthens confidence in a company's data security practices.

INDITOR® provides you with optimum support for the introduction of various industry standards, such as an ISMS in accordance with DIN EN ISO/IEC 27001 or the BSI IT baseline protection.

We offer an individual and tailor-made solution for any size of organization, with which you can easily and efficiently implement information security in your company.

Your software for ISMS, data protection & GRC

Test the i-doit GRC Suite free for 30 days – in the cloud or on-premises. More than 400 companies successfully manage information security, risks, and compliance with i-doit.

Free 30 day trial