Basics and effects of the new General Data Protection Regulation (GDPR)
The European General Data Protection Regulation (GDPR) has been in force since 25 May 2018. The GDPR has far-reaching consequences for website operators, bloggers, agencies and many more. In the following we explain the basics, describe the consequences and point out possible recommendations for action for agencies.
The GDPR is a European directive and is implemented at country level by the governments of the respective European countries. Fines of up to four percent of the world’s annual turnover are threatened if these are infringed. Also the claim for damages in case of data protection violations for users increases. It is important to distinguish between the GDPR and the ePrivacy Regulation. The GDPR is a uniform data protection law, while the ePrivacy regulation deals with the handling of data by network providers and will only take effect from 2019.
According to the GDPR, consent must be obtained immediately for the processing of personal and identifying data. This data includes names, telephone numbers, e-mail addresses and images as well as IP addresses and cookies. With this data, users could previously be contacted again for remarketing purposes, which is no longer easily possible under the new GDPR. The processing of identifying data includes storage, evaluation and the granting of access to third parties. Only if the data processing is necessary to fulfil a contract is it permitted without special consent. An example of this is the storage of certain customer data at an e-shop to ensure payment and delivery of a product.
Since 25 May 2018, all companies active online must take care of the following (source: https://blog.socialhub.io/dsgvo/):
· List of processing activities: Overview and admissibility check of all processing of personal data.
· Security concept: checking and documentation of security measures (e.g. authorization concept, encryption, backups, software updates etc.). In the case of high-risk processing (e.g. extensive processing of health data), an additional data protection impact assessment must be carried out.
· Data protection officer: Examination of whether a data protection officer must be appointed (e.g. from ten employees).
· Data transfers: conclusion of so-called order processing contracts with subcontractors and other service providers.
· Instruction and commitment of employees: training courses and confidentiality agreements.
· Rights of data subjects: establishment of procedures for rapid response to information, data transfers or requests for data erasure or correction.
· Data mismatches: Processes must also be in place for reporting any data breaches to the authorities and those affected.
· Audits and updates: It must be ensured that the processing is monitored and checked for changes as well as on a regular basis (e.g. every six months).
Companies must now also be more cautious with regard to the use of social media platforms. It is now forbidden to merge contact lists of one network with those of other networks, such as Outlook contacts. This is especially important for Xing, LinkedIn or WhatsApp.
Conclusion and recommendations for action
A first step is to commission a data protection service provider to take stock and formulate a tailor-made recommendation for action. To be on the safe side, companies should appoint a lawyer who is liable with his professional indemnity insurance in case of doubt. There are still many uncertainties in the interpretation of the data protection reform and it is therefore all the more important to be legally on the safe side.
It is also advisable to deal with the ePrivacy regulation now. This was originally intended to take effect at the same time as the GDPR, but is still a long time coming and is expected to enter into force in 2019. The regulation mainly affects website operators and also affects the use of the Facebook pixel, for example.
Author: Hanna Kleber, Managing Director KPRN