The General Data Protection Regulation (GDPR) was passed in May 2016. Two years later, in May 2018, it will become applicable law. The advantages for cross-border businesses who have to deal with (to most extent) identical requirements regarding data protection within the EU come with the price of several changes of the current legislation and additional tasks to be fulfilled.

I. Severe fines

Before analyzing the details of the changes in content, their relevance will be emphasized by the amount of the newly implemented fines. While data protection was certainly regulated in many aspects, companies were likely to have dealt with this topic in the past mainly for marketing reasons and not for legal reasons, as the violations of data protection usually had smaller legal effects compared to the impacts on public perception. However, by the GDPR fines are established that reach the dimension of fines for violations of antitrust law: the competent authorities may impose fines in the case of breach up to EUR 20 million and/or up to the amount of 4 % of the annual turnover. This is combined with a considerable reversal of burden of proof. In the case of data leakage or merely a complaint, the company affected has to be able to explain and document that it took all necessary steps to avoid data leakage. The company affected also has to be able to explain and document that it checked thoroughly if it really needs all the data collected. And the new requirements allow a wide range of potential breaches.

II. Ambit

The General Data Protection Regulation applies – like the current data protection law – for any data processing entity and therefore every company operating within the EU.

III. New requirements

First of all, every company affected has to develop a security concept, implement it and (this is important!) document it. In the case of data leakage, the company has to be able to demonstrate on the basis of records, reports, assessments or the like that it tried its best regarding data protection. Also, in the case of data leakage, the supervisory authority has to be informed within 24 hours. This requires the establishment of adequate procedures and structures. And from a serious interpretation of the wording of the law an e-mail being sent to the wrong addressee by mistake establishes a case of data leakage.
In individual cases a so-called data protection impact assessment has to be made, documented and, in some cases, to be coordinated with the supervisory authority before starting particular data processing. This assessment is an early check of the necessity of the data collection and considering the interests of those involved. This concerns in particular situations in which the company intends to collect extensive personal data while the extensive scope is already considered achieved when the company asks for the usually required fields of a registration mask e.g. for a newsletter or a customer loyalty program to be filled in.
IT-systems, process sequences and default settings have to be set up in such a way that as little as possible data is collected (“privacy by design” and “privacy by default”). This again requires the collection of the necessary data, the consideration of the interests of those involved and – again – a detailed documentation.
The GDPR provides a right to information for every party involved in data collection by companies. Companies have to be able to deal promptly with requests of information, which again requires the establishment (and also: documentation) of relevant processes. Otherwise it will be hardly possible to read all data actually stored about a person from the company’s IT-system.
Any existing privacy statements have to be checked and, if necessary, amended in order to meet the new requirements.

IV. Implementation timetable

It is not a surprise that there are currently discussions about data protection. The requirements, however, are not clear even though an implementing law was passed by the German legislator at the end of April 2017. So the time period until May 2018 is rather short for implementing all requirements of the GDPR. Most companies may not like it, but data protection has to become a priority matter, in particular due to the impending fines. And even though the supervisory authorities will be busy with establishing the new competences during the first months of 2018, the 25 May 2018 should be borne in mind as a deadline.