GDPR 2024- What you need to know as an entrepreneur
From May 25, 2018, the General Data Protection Regulation (GDPR) will apply in all member states. Important for you to know: As a business owner, you must have already implemented the new regulations by then. The GDPR brings with it a number of changes. According to DGAP, companies will spend an average of eight hours a day searching through their databases in order to meet the new requirements. Around 60% of European companies are not sufficiently prepared for the new guidelines. Find out below what the GDPR will change in terms of data protection and what you should bear in mind to avoid expensive fines.
GDPR – what is it all about?
The GDPR is a regulation adopted by the European Parliament. You can read the exact wording of the regulation here. The aim is to ensure uniform data protection law and the protection of personal data. Personal data includes a person’s name, address, telephone number, date of birth, email address, income and account details as well as health information. However, it also includes the license plate number, IP address or purchasing, surfing and clicking behavior on the Internet. The GDPR regulates data protection law, i.e. how companies handle this data. The main elements of the current Federal Data Protection Act (BDSG) remain in place, but many regulations are also tightened. The GDPR applies to all companies within the EU and also to companies based outside the EU if they process the data of persons from the EU or have a branch in the EU. Every company that is active on the internet is affected.
What is changing?
If you have taken good care of your data protection up to now, you can breathe a sigh of relief. As an entrepreneur in Germany, you are definitely at an advantage, as the regulations were already quite strict. Many of the familiar principles will not change.
That remains
The main objective of the data protection regulation remains the same: The fundamental rights of every natural person should be protected. Personal data may still not be collected, processed or used unless you have explicit permission to do so. In addition, you may only collect and process as much data as you actually need. The data must be accurate, factually correct and always up to date. Furthermore, it may not be used for purposes other than those for which it was collected.
This is new
Order data processing (Art. 28 ff. GDPR)
In the case of commissioned data processing, personal data is processed by a contractor on behalf of the controller. For example, an external customer center or data center is used. According to the BDSG, only the client was previously responsible for data processing. In future, however, both the client and the contractor will be equally responsible. The contract does not have to be concluded in writing but can now also be concluded electronically.
IMPORTANT FOR OUR CUSTOMERS: Of course, this also affects our customers, because if assistance is provided via remote support (TeamViewer, Remote Desktop, etc.), we may gain insight into personal data (contact persons at customers/suppliers/interests, calendar or e-mail content or data on your employees). You will shortly receive an information mailing from our data protection officer explaining this to you. We also have ready-made contracts for our customers that cover the key points.
Consent (Art. 7 GDPR)
If you process personal data in your company, you must obtain the express consent of your customers. A preset tick in a checkbox on your website, for example, is no longer sufficient and does not constitute effective consent. Consent must therefore be given through a clear action and be voluntary. For example, a contract must not be linked to the processing of data that has nothing to do with the service or product. Furthermore, it must be possible to withdraw consent at any time. Withdrawing consent must be as easy as giving consent. In the case of minors, consent without parental consent is only effective from the age of 16. This limit can be lowered to 13 years by the member states.
Right to be forgotten (Art. 17 GDPR)
Upon request, companies must delete personal data if they are no longer authorized to use the data. The data must be deleted if the purpose for the data processing no longer applies, if it was unlawful or if the data subject has withdrawn their consent.
Data portability (Art. 20 GDPR)
Users can take personal data with them to another provider, for example if they move to another bank, a new employer or other social networks. However, it is still unclear how this will be implemented in practice.
Data security (Article 32 GDPR)
In order to protect personal data in the event of misuse or loss, data processors must take appropriate technical and organizational measures. The exact nature of these measures depends on the state of the art, the necessary implementation costs and the given circumstances. The controller is obliged to regularly review data security.
Notification obligations (Art. 33 para. 1 GDPR)
There are now specific deadlines in the event of a data breach. You must report any personal data breach to the competent supervisory authority within 72 hours if the rights and obligations of the data subject are at risk. As part of this, there will also be a documentation obligation for companies vis-à-vis the authority in order to verify the reporting obligation.
Data protection officer (Art. 39 GDPR)
From now on, there will be a data protection officer throughout the EU. Among other things, the data protection officer will be responsible for monitoring compliance with the regulation and providing training.
Simplified complaints (Art. 77 GDPR)
In future, it will be possible to lodge a complaint with the data protection authority in your own country, regardless of where the company in question is based. In future, associations will also be able to lodge complaints on behalf of consumers.
What needs to be done?
In order to meet the new requirements, you should make some preparations. But where is the best place to start? After all, there is not much time left before the new regulation comes into force. You should therefore check now what data protection measures are in place in your company and whether they comply with the GDPR. It is best to draw up a concept to inform and train your employees about the new requirements. The most important points are summarized below:
Structure and responsibilities
Does your company have a data protection policy and are responsibilities defined? Who has access to which data and who decides on data processing? It is best to appoint a data protection officer. If you work with special personal data, such as health data, you may be obliged to appoint a data protection officer, regardless of how many employees your company has. If you already have a data protection officer, you should register them with the relevant supervisory authority.
Adapt your contracts
If you work with service providers who process personal data on your behalf, you should adapt the contracts. The content will change with the GDPR. If the contracts are not complete, you could face a fine. Also check the contracts with other contractual partners, particularly regarding liability and data protection.
Transparency and information obligations
Transparency is one of the key principles of data protection law. You must inform the data subject about the processing as soon as the data is collected. This includes, for example, the purpose of use, duration of storage or the right of withdrawal.
Change your forms and consents
As described above, the GDPR imposes stricter rules on the handling of consent. With every consent, information must now also be provided about the withdrawal options. You must also observe certain restrictions if you wish to integrate consent into your terms and conditions or link it to another action, such as the conclusion of a contract. However, there are also simplifications: the written form is no longer required.
Adapt your data protection declarations
The GDPR significantly increases the information obligations towards data subjects. The person must be informed about every process in which you process their data. Each privacy policy must also contain the name and contact details of the website operator. If you have a data protection officer, their contact details must also be provided. You must also provide information on the legal basis and purpose of the processing.
Data protection violations
If a data breach occurs, this must be reported to the competent authority within 72 hours. You should ensure that a breach is also recognized immediately.
Train your employees
In view of the upcoming changes, it is necessary to know why data protection is important and what the consequences are if it is not complied with. You should therefore sensitize all employees who work with personal data in your company, for example from customers or suppliers to the topic of data protection and familiarize them with the associated requirements. Ensure that data is not processed without authorization. According to Art. 39 GDPR, it is the task of the data protection officer to train employees. Failure to comply with the new regulations may result in a fine.
Fines for violations
The conditions for the imposition of a fine are described in Articles 83 and 84 of the GDPR. Violations are likely to result in greater sanctions than before. However, it depends on the type of infringement. For example, a distinction is made as to whether the breach was intentional or negligent or whether it was reported or otherwise known to the authority. Fines of up to EUR 10 million or, in the case of a company, up to 2% of the global annual turnover of the previous financial year are imposed for infringements. In the case of serious infringements, the supervisory authorities can impose fines of up to EUR 20 million or up to 4% of annual global turnover.
Further information
If you would like to find out more about the General Data Protection Regulation or the full range of TimeLine ERP functions, please send us a message using the contact form, write to [email protected] or contact our sales team on +49 212 230 35 200. We look forward to hearing from you and will be happy to advise you!