Sharper Data Protection Regulation as of May 2018

Final Phase of GDPR Preparation

The countdown has started: By 25 May 2018 all enterprises have to implement all new provisions of the general data protection regulation (GDPR), valid since 2016.

The strengthening effects mainly both accountability and burden of proof concerning personal data as well as the notification obligation in case of data breach. At the same time, penalties increase significantly. In order to be in conformity with the law processes need to be adjusted or redefined.

The new data protection regulation according to GDPR affects all companies. In the future, collecting and storing personal data to complete an order requires a higher diligence. An important aspect of the new regulations is the strengthened so-called accountability and burden of proof. This means that companies have to be able to prove the lawfulness of data processing at any time. "This proof may be provided for example through consent or contracts with the relevant customer," explains Timo Gehle, head of IT strategy, IT security & data protection in the consulting department of DATEV eG. Within the scope of his function he also acts as external data protection officer for tax consulting offices and companies and knows data protection related problems from his daily work experience.

Accountability and Burden of Proof

Furthermore, as of May 2018 there are basically stronger provisions for handling personal data. "Personal data can only be collected and processed for certain defined purposes," says Gehle. "Enterprises have to make sure that inaccurate data will be erased or rectified without delay". Also data not required anymore must be erased immediately. Furthermore, personal data has to be protected through technical and organizational measures from illegitimate processing or unintended loss or damage. Breaches of accountability may cost enterprises up to four percent of their annual turnover (maximum 20 million euro).

The same framework of fines applies to breaches of the so called rights of the data subject. "This includes the companies’ information obligation, the right of access by the data subject as well as – depending on the situation - its right of rectification or erasure," resumes data protection expert Timo Gehle. "Therefore, it is essential in this field to implement relevant processes and record them transparently".

Here you can find the complete English version of the EU regulation .