Three years ago, the General Data Protection Regulation revolutionised data protection, but it also created a great deal of uncertainty in its implementation. There were concerns that even the smallest violation would be punished with draconian fines. Entire professions, such as photographers, saw their existence threatened. As a result, some companies reacted with sometimes excessive measures, while others only implemented the absolute minimum once and then saw no need for further action.
However, effective data protection must be deeply rooted in an organisation. Yet it must not be forgotten that the implementation has always to be appropriate to the data processing. The success of data protection management depends on its acceptance within the company. Smooth and appropriate, not excessive, processes are therefore a must.
If a company is not prepared for this, requests that are actually trivial can result in a massive effort. For example, without appropriate processes, it can become a time-consuming and expensive challenge to process a request for information or other data subjects’ rights in due time and form.
TÜV TRUST IT GmbH TÜV AUSTRIA group has collected eight success factors for successful data protection management from its experience.
1. Management commitment
Data protection management must be sustainable and supported. Management must stand behind it and give data protection the necessary space, and also allow it to be implemented if necessary, even if it is not the direct and convenient but the inevitable way.
In addition to management, all other employees must be aware of the obligations arising from the processing of personal data. This includes the awareness that data recipients have certain rights and must receive information at the right time or within the right period. Besides, it must also be clear that data protection does not stop with formalities. A virus attack or a fraud attempt targeting a company – and thus its customers – is also of data protection significance.
3. Process map
Most companies know which IT applications are used. However, data protection relies on a procedural view. When a data record is printed out from an IT system and filed, it leaves the digital world. Nevertheless, deletion periods, for example, must be considered. Control is therefore only possible if all data processing operations of a company that have a personal reference are known.
4. Data classification
As in information security, it is also essential in data protection to protect data appropriately. An address certainly has a different value than health information in this respect. It is therefore misguided to treat all personal data in the same way, but protective measures must always be proportionate to the sensibility of the data. Otherwise, even for trivial data, maximum security measures would have to be taken, which would cause enormous effort, or there is a risk that information that is particularly worthy of protection is not adequately protected, thus creating a situation that is in fact considerably liable to fines. A detailed classification of all personal data is therefore an essential feature of effective data protection.
5. Procurement processes
Software procurement is often a formalised process in which technical requirements, customer-specific adaptations and, last but not least, costs play an important role. Advancing digitalisation ensures that “off-the-shelf” offers, which can be configured and used quickly with little effort, also play a major role. The commercial powers are less of a problem here. However, the necessary awareness of the requesters and purchasers is also crucial, who must have an understanding, based on the data concerned, of whether data processing must be checked in advance and approved by other departments in the company. The agreement of order processing contracts must also already be taken into account at this point. It is extremely unsatisfactory for all sides if this question arises shortly before commissioning and then has to be negotiated at very short term.
6. Change management
Existing data processing is changing. Modular products are being extended, especially in times of ready-made cloud services. Existing information is made available to new authorised persons. Data is correlated, creating new statements with personal references. Many further steps are linked to this, from the data protection information to be adapted, to a possible impact assessment, to a new classification of an affected application that requires stricter protection measures. Therefore, it is also important here not to disregard the “data protection” dimension.
7. Co-determination rights
The data is known and classified, the protective measures have been considered sufficient, the procurement has been taken care of so far, or there have been no disagreements on questions of changes to applications. In the case of data processing involving employees, however, the respective works council, which sometimes has co-determination rights, must not be ignored. While it is advisable to conclude framework agreements that regulate the general principles of data processing, consent is required especially for sensitive data or data processing that is suitable for monitoring. It is advisable to always involve the works councils at an early stage.
8. Data protection officers
With all the questions that arise in data protection, one thing is always very clear: Companies need expertise. Many companies have appointed a data protection officer, either because the size of the company requires it or because it results from the type of data processing. Depending on the company, data protection management can become so complex that separate data protection units are established in the companies. A sufficiently qualified and experienced data protection officer is able to manage this. The sometimes very formalistic data protection processes can thus be unified and standardised in order to make decisions as quickly as possible and prevent many of the problems outlined here from arising in the first place.