Three people are sitting on a sofa and chair, around a small coffee table, talking.

Crash course GDPR - Summary of the 10 most important facts

25 May 2018 - the GDPR came into force on this date. Curse or blessing? After 2 years this is not exactly one of the most popular topics for companies. Nevertheless, the DSGVO has an important significance in the present day. Since the DSGVO came into force, fines in the millions have already been imposed and not only entrepreneurs are placing more emphasis on data protection, but private individuals have also become a little more sensitive. We have summarised the most important 10 questions and tips for you as briefly as possible

25th of May 2018 - since this date the GDPR came into force. Curse or blessing?

After 2 years this is not exactly one of the most popular topics for companies. Nevertheless, I think that the GDPR has an important significance in the present day. Since the GDPR came into force, not only entrepreneurs have been attaching more importance to data protection, but private individuals have also become a little more sensitive. Companies are now forced to show their subcontractors, which makes it easier to find out who is involved in data processing and where. Even if it is not always obvious at first glance, because behind the subcontractors there could be another chain of subcontractors.

Even IT lawyer, Frank Trautwein of Fresh Compliance, is of the opinion that the topic is more relevant than ever even after 2 years: "In two years of GDPR we have found strengthened data protection awareness in companies. But also significantly more active data protection authorities. Anyone who does not see data protection as a crucial management issue in 2020 should change this quickly.

High fines for GDPR infringements

The internet company Google had to pay a fine of 50 million euros in France, because it was difficult to trace how long Google was storing user data and who else was processing it. Deutsche Wohnen SE received the highest fine in Germany, amounting to 14.5 million euros, because they still illegally stored tenant data after repeated requests from data protectors. In Europe, the highest fine to date was 204 million euros, because the airline British Airways showed a lack of security precautions, which led to data theft. A list of the fines can be found in GDPR Enforcement Tracker.

Even if the high fines are the decisive extrinsic motivator for many to take the GDPR seriously. We at luckycloud took data protection seriously even before the GDPR, and have experienced that transparent communication of data processing processes should be the basis of companies that process sensitive data. After all, everyone should have the right to know where and when their own data is used and processed.

Phillipp Heindorff, lawyer at Fresh Compliance, sees it similarly: "GDPR is two years old and the Internet is bursting with cookie banners. But European data protection has achieved much more. Many companies finally recognize data protection as part of customer service. It should be a matter of course to answer a request for information about my data just as quickly as a query about my order. Privacy by Design and Privacy by Default are still far too rarely used in practice. In every data-driven project, companies should think about how to protect data in the best possible way from the outset or even work "data sparingly". Pseudonyms instead of real names, automatic deletion of geodata from a photo shoot, analysis functions are deactivated by default, the deletion of my customer data as a self service, accessible data export functions, warnings for users when entering sensitive data, etc."

There are still enough founders, companies or individuals who have not yet dealt with the topic. Therefore, in the following sections we have summarised the most important 10 facts for you, as briefly as possible, and answered the most important questions of our GDPR interview 2 years ago for you. In doing so, we refer to the most important points for us, which does not mean that there are not significantly more important aspects.

1. What is the GDPR and to whom does it apply?

The General Data Protection Regulation (abbreviated: GDPR) is a legal framework of the European Union, which is intended to harmonise the processing of personal data and is committed to fundamental rights of natural persons and in particular the protection of personal data. The regulation applies to all companies that collect, use or process personal data of EU citizens.

2. What is personal data?

Personal data are all information or records that identify a natural person, such as

  • Name,
  • Address,
  • E-Mail address,
  • Account details,
  • Cookies,
  • IP addresses, etc.
These can be divided into specific categories, such as political opinions, health data, biometric data or data on racial or ethnic origin.

3 When may personal data be processed? (Art. 6-23 GDPR)

Personal data may only be processed if the following principles are followed:

Lawfulness:

In principle, data may only be processed if there is a legal basis. A legal basis is e.g. a contract, a consent or other laws (e.g. HGB, AO, TMG).

Principle of data economy:

Only as much data may be processed as is actually needed for a specific purpose.

Purpose limitation:

Data may only be used for the purposes for which it was originally intended.

Accuracy:

Data must be complete, up-to-date and correct.

Data security:

Data processors must ensure an adequate level of protection with appropriate technical and organisational measures. The level of protection depends on the need for protection of the data - if the data is particularly sensitive, higher data security measures must be used, such as additional encryption.

Right to be forgotten:

Data processors are obliged to delete or block corresponding personal data if no longer authorised. For example, an authorization no longer exists if:

  • The purpose for which the data are processed is no longer given
  • The consent of the person concerned has been revoked
  • the data were processed unlawfully

Right to data transferability:

The data processor is obliged to assist the data subject in changing provider at the request of the data subject and to provide the data in a common format.

Accountability:

Data processors must be able to demonstrate on request that appropriate data protection management is in place in the company and that data protection principles are being observed.

"My secret tip would be to see data protection as an integral part of customer service, as customers are placing ever greater value on it. To achieve this, data protection processes must be well prepared and standardized. Authorities in particular are often called in when the answers to so-called requests for information get stuck or are not forthcoming at all. - advises Frank Trautwein from Fresh Compliance.

4. obligations for entrepreneurs (Chapter 4 GDPR)

First of all, one or more persons responsible for the implementation of the GDPR in the company must be determined - this may or may not be a data protection officer. Employees must be sensitized to the topic and data processing processes must be communicated and documented with work instructions. Among other things, records of processing activities must be created for this purpose. For customers, partners, suppliers - in short, "processors" - a data processing agreement must be concluded.

These obligations are further explained in the next 5 points.

5. Who may be data protection officer? (Art. 37 - 39 GDPR)

A data protection officer can be an internal employee who works without being bound by instructions. However, an external data protection officer can also be called. In the following video Philipp Heindorff tells you when it is necessary to appoint a data protection officer.

6. What's the processor? (Art. 28 GDPR)

The processor is a company or organisation responsible for the data processing of the principal. This includes cloud solutions, website hosting, e-mail marketing providers or other IT systems that process personal data. If you store personal data with luckycloud, then you, as the "principal" and luckycloud, as the processor, are obliged to enter into an data processing agreement.

7. What is a data processing agreement and who has to sign it?

A Data Processing Agreement (short: DPA) must be concluded with each processor. Private customers who do not process their data for a business purpose do not need to conclude a DPA.

"It should be clear by now at the latest to every data-driven company that it is necessary to conclude data processing agreements. What has become a matter of course for many companies in the meantime, still triggers queries from others. If not already done, ask the relevant data processing service providers for a "DPA". - recommends Frank Trautwein.

Part of the DPA are the so-called "TOM" and a subcontractor directory, which lists the name, location and purpose of the subcontractor's processing. Subcontractors assist the processor in processing the order.

I always find this list particularly interesting when we are looking for new applications. I have already made the experience several times that we advertise with the highest data protection measures and "100% Made in Germany", but the order is then passed on to less data protection friendly companies.

8. Who or what is TOM? (Art. 32 GDPR)

TOM is the abbreviation for technical and organizational measures. Frank Trautwein gave us a good explanation for this in our interview: "TOM is the little brother of IT and information security".

Here it is documented which measures the processor uses to ensure data security and data protection. The documentation must include the following points:

  • pseudonymisation
  • encryption
  • Guarantee of confidentiality, integrity, availability and resilience of the systems
  • measures for data recovery
  • measures used for regular review, assessment and evaluation of TOMs

9. What is a records of processing activities? (Art. 30 GDPR)

Records of processing activities is a documentation of the processes in which data is processed. The documentation must be divided into the following points:

  • Name and contact details of the person responsible
  • Name and contact details of the data protection officer
  • Category of data processing (e.g. cloud services, document destruction, archiving, etc.)
  • Purposes of data processing
  • Categories of data subjects
  • Categories of personal data
  • Categories of recipients
  • Transfers of data to third countries or an international organisation
  • Deadlines for deletion
  • Description of the technical and organisational measures

10 How do I work GDPR compliant in the cloud? - Checklist

In principle, most cloud providers are GDPR-compliant. However, everyone has a different idea and requirement of data protection. With GDPR you get more transparency and can make your own decisions where and how your data is processed.

Basically, you first have to find a provider that meets your requirements. Here is a checklist of what you should pay attention to:

  • Locations of the contract processor in Europe, or even better, in Germany
  • Encryption types, such as transport encryption, client-side end-to-end encryption, server-side encryption, encryption of user passwords
  • Authentication options: 2 factor authentication, authentication via LDAP
  • Use of Open Source Software
  • Setting recovery periods
  • Subcontractor directory
  • Backup concept
  • Availabilities
  • Work according to the Zero-Knowledge-Principle
Once you have made your choice, you must conclude a DPA and include the provider in your "GDPR documents" and data processing processes.

At this point I would like to add that compliance with the GDPR is not a guarantee for high data security, but rather defines the minimum level of data protection that must be guaranteed. In addition, each company is free to decide how high they want to set data protection and data security. And the same applies to you as a client: if you have high requirements, then you should definitely consider the individual points in the checklist when making your selection.

The fact is that the GDPR is not a directive, but a regulation to which everyone who processes data of European citizens must adhere.

--
Author: Nicole Smuga

sources:
Verordnung (EU) 2016/679 (Datenschutz-Grundverordnung)

You might also be interested in