25.05.2018

How Companies Meet the GDPR Requirements: eco Association Answers the Most Important Questions

  • Survey shows that only a few companies consider themselves legally on the safe side
  • Criticism of supervisory authorities: eco demands framework conditions for a practical implementation
  • Service: eco supports companies in meeting legal requirements

Today, the European General Data Protection Regulation (GDPR) enters into force in order to strengthen the legal rights of European citizens to have their personal data protected. For companies, it means that they have to adhere to stricter requirements when it comes to customer data and its further processing. However, according to eco – Association of the Internet industry, not all affected companies are fully prepared for the new legal situation. Shortly before the end of the deadline, many companies began to be concerned about their legal standing in the future.

Survey shows that only a few companies consider themselves legally on the safe side

ABSOLIT Consulting* and eco conducted a survey among 600 marketing-decision-makers, which showed that only 10 percent of the companies had already evaluated and adjusted their working processes in line with the GDPR.

This is not entirely unproblematic, because the new data protection regulations will impose stricter sanctions with heavy fines in case of legal infringements. However, it was not due to a lack of will or even ignorance on the part of the companies. In March 2018, only three percent stated that they saw no need for adjustments for their companies.

*335 large companies (over 500 employees), 143 medium-sized companies (200-500 employees) and 128 companies (50-200 employees) were surveyed.

Call to supervisory authorities: eco demands framework conditions for a practical implementation

In this context, eco’s Managing Director Alexander Rabe admonishes the responsible supervisory authorities in Germany. It is their responsibility to provide framework conditions for a feasible implementation of the GDPR: “At the moment, there is a lack of hands-on support and application examples for the interpretation of the GDPR. Companies and website operators do not know whether they are acting in accordance to the law. The fear of formal warnings and penalties with serious fines is omnipresent.”

“Now that the GDPR has come into force, German supervisory authorities should work quickly on a nationwide and European-wide uniform interpretation of the GDPR”, says Rabe. “Otherwise data protection is at risk of disintegration, not only in Europe, but also in Germany, and those affected would be exposed to legal uncertainties and risks of formal warnings. This would jeopardize the harmonization of data protection in Europe.”

Service: eco supports companies in meeting legal requirements

In its role as an association of the Internet industry, eco will continue to offer support for latecomers in the coming weeks in order to help companies to meet the GDPR requirements. eco provides its member companies with the service of an external data protection officer on request. For example, the data protection expert can help to train employees and to conduct data protection audits.

Further information available at https://international.eco.de/external-data-protection-officer/.

eco’s data protection expert Thomas Rickert answers the most important questions about GDPR

What exactly is personal data?
“This includes all data that allows conclusions to be drawn about a person. This can be a name, date of birth, phone number, or IP address. To process the data, a company needs a legal basis. This is the case if the person gives his or her explicit consent or if the company has a legitimate reason for storing the data.”

What does the right to be forgotten mean?
“Citizens have the right to have their personal data deleted upon request. However, this does not apply to all data, such as billing data, where there is a legal obligation for companies to keep records.”

What is the right to data portability?
“The intention is to make it easier for customers to switch providers. Companies are obliged to make the data available to a customer or another company in machine-readable form so that the customer can switch from provider A to provider B more easily.”

What are the requirements for processors?
“In the course of the increased documentation obligation, it must be recorded in written form if a company commissions an IT service provider. The provider must then keep a record of his of her compliance with technical and organizational measures to ensure data protection and data security.”

Do I need a data protection officer?
“If at least ten persons are involved in the processing of personal data or if the core activity of the company is the processing of personal data, then a data protection officer is obligatory. This is either an employee who is then independent of instructions and enjoys protection against dismissal, or an external data protection officer.”

DSGVO
CC0 Creative Commons / pixabay