10 point checklist GDPR

The GDPR has now been through for about three months. And most companies have also felt that this is the end of the story. But even if all the requirements for the GDPR had been met by the deadline, this is no guarantee that nothing more will be heard about the GDPR for the next five years, let alone on the subject of data protection. Because in our modern world, nothing is more constant than volatility. Under the motto “10 points for secure failure”, Martin Aschoff has once again compiled the most important facts so that you will also live in harmony with data protection in the long term. We hope you enjoy our 10 point checklist GDPR.

The strategy of simply doing what you have read somewhere or what self-appointed experts recommend can quickly be doomed to failure. Reports and instructions are now available in sufficient quantities for the GDPR. But unfortunately there are many half-truths and myths. It quickly happens that you have read five articles and afterwards you are just as clever as before, because each article contains something different or has a different recommendation. In addition, certain bodies, such as consultants and law firms, deliberately create a certain amount of panic in order to secure their business for the near future.

But how do we know what is true and what is not? First of all you should check where certain articles and recommendations come from. Online articles in particular are often not first-hand information, but contributions from the larger media. It can quickly happen that a connection is no longer displayed correctly. Therefore, if possible, always read the primary source. Don’t forget the seriousness of the source. A trade magazine is certainly more competent than the yellow press. If you have a competent law company on hand, you will surely get the most binding answers. Another possibility is the exchange with other affected parties (companies). What experience have they gained? How did they approach the matter? So you can benefit from the experiences of others.

Clearly you should give your lawyer the most important things for examination, but the GDPR is not a topic, which the lawyer can accomplish on his own. On the one hand, expert lawyers are currently very busy on this subject, which can certainly lead to delays. On the other hand, you may receive recommendations that are not compatible with your company’s practice or are more extensive than necessary. The issue of GDPR must also be implemented throughout the company. This starts already with the fact that no customer data may lie openly around or personal data are sent unencrypted by e-mails. And your lawyer can’t do that for you.

If your contract processor is in the EU, you may get by with the statement in good conscience. But what if it is not in the EU? That’s when things get more complicated. Since a company based in Turkey, for example, will have relatively little interest in EU law and even if they accommodate you, sufficient legal certainty is probably questionable. Another factor of uncertainty is the still-EU country Great Britain. If Brexit should actually occur, it is questionable whether the British will take over the GDPR for themselves. And of course there is the USA with the newly occurred CLOUD Act which produces a large conflict potential with the GDPR. On top of that, you are not only affected if you use a processor directly located in USA, this also applies to foreign subsidiaries of US companies.

Anyone who really believes this is not only very naive about the subject of data protection, but is also grossly negligent. There are certainly always some who do not pay too much importance to the subject, but this should not be assumed in general. Especially in the course of the recurring data scandals, most of them have become significantly more sensitive to the topic of data protection. Of course there are also people who share their whole life in social media, but usually only the bright side is presented. This means, they share only specifically selected information. In addition, a responsible and transparent handling of data creates trust and this is the basis for your customer to remain your customer.

Clever providers may be tempted to obtain the consent of their prospects and customers by bribery (e.g. in the form of vouchers), or even use subtle techniques of extortion (e.g. certain payment methods only against consent).

However, this is clearly no longer possible with the EU GDPR (Article 7, paragraph 4). For example, Maximilian Schrems (an Austrian data protection activist) is suing Facebook precisely because he believes that Facebook requires too many consents from the user to open an account, which would not be absolutely necessary for the operation of a Facebook account.

However, there are grey areas, which can still be seen as a convincing argument for consent and not yet as bribery. Here you can ask your lawyer or wait for the first court rulings on the subject, because they will come (see Facebook).

Have you already received initial requests for information about the customer data stored by you? No? Then you’ve been lucky so far! Because according to the GDPR everyone has the right to receive information about which data of one is stored – even if no data was stored.

Of course you can answer a single request, but what if there are more? Before this happens, there is an urgent need to think about how the company can implement the most automated information process possible, preferably yesterday and tomorrow. Because especially with several inquiries, a month, which is the time you have for giving out the information according to GDPR , is not long. Therefore, as much as possible should be digitized and automated, if only to avoid burdening your own human resources with unnecessary tasks. Incidentally, the data transmitted to the inquirer must be digitally processable.

Everything could be that simple… If someone says we should delete his data, then we delete all his data… but unfortunately it is not that simple. For the data must be differentiated whether it may or may not be needed again under certain conditions. Certain data may still be required, for example, to fulfil legal obligations or to assert, exercise or defend legal claims. In these cases a solution of the data is not necessary and thus the processing contradiction or a deletion order is invalid.

There are things that never have an end, the implementation of data protection guidelines belongs to it. Because again and again small legal changes can occur or the state of the art is no longer the most current and must be overhauled. In addition, everyone has to keep a list of their processing activities, which unfortunately does not maintain itself. As a result, there are always changes here, such as contract processors, which are added.

In advance: the excuse “Sorry, I’ve forgotten” is not so good here. To prevent escalations, an emergency plan for data spying should be drawn up beforehand. In the event of reportable incidents, the company data protection officer must always be informed first. Thereafter, it should be examined whether an “infringement is not likely to pose a risk to the rights and freedoms of people”. In this case, the data protection authority would not have to be informed.

Principially, this statement is not completely wrong. First and foremost, the data protectionists are concerned with hitting companies such as Facebook, Google & Co. who have so far not attached much importance to where any data ends up and persuading them to rethink. That’s not a free pass. Regulatory authorities must investigate every complaint, regardless of whether it is a large corporation or a ten-man company. Incidentally, anyone who has already attracted the attention of the authorities in the past should be particularly careful, because such companies will certainly be audited first.

Have you found yourself here again and may also need support in the legally compliant implementation of the GDPR? Then visit us at the dmexco. Here we show you how it works with GDPR-compliant e-mail marketing.