In many cases, data protection in companies is still a subordinate issue. On the one hand, this is due to the fact that companies are not sufficiently informed about what data protection means in a company in detail. On the other hand, it is also because data protection is a rather unpopular and possibly an annoying topic in the company. But not only with the GDPR, companies of all sizes have an obligation to implement extensive processes and guidelines to enable data subjects to have more control over their personal data.
- Data protection
Data protection is generally understood to mean the protection of all information that is not intended to be freely available to the general public. This primarily refers to personal data, i.e. data that is directly related to a person. This includes personal and private information, but also data about things or certain relationships. There is an obligation to collect only the necessary minimum of personal data and to protect it from access by third parties. Because everyone has the right to determine for themselves who they want to make their own data accessible to, which data they want to make available to third parties and also when they want to make them accessible to third parties. This applies to both the data of customers, employees and the data of business partners
- Conflict area between data protection and advertising: what you need to consider
Since the new GDPR, what do I have to pay attention to in terms of data protection in the company when I advertise products and services? How can I address customers and prospects? Do I have to get consent or not? The GDPR does not contain any explicit regulation on the subject of advertising, but there are still a few points to consider:
a. Safeguarding legitimate interests
Personal data may then be used for advertising purposes if they are necessary to “safeguard legitimate interests” of the company and there is no “overriding interest” of those affected. It can generally be assumed that there are “legitimate interests” in direct mail Easier to contact interested parties, but this must now be more strictly documented in individual cases than before.
b. Emails and calls
There are no changes in terms of e-mail and telephone acquisition: In Germany, these are regulated in the Act against Unfair Competition (UWG), which remains in force. Thus, for advertising by telephone and e-mail (also for newsletters), the recipient’s express consent is required.
c. Newsletter
In contrast to existing customers, new customers always require consent to receive the newsletter. The double opt-in procedure must be used for consent. So when users register for your newsletter, you have to inform on the registration form to whom and for what purpose the data will be transmitted. A reference to your privacy policy, in which you provide this information, is sufficient here.
d. Right to object
If an addressee objects to receiving advertising, this must be taken into account without any ifs or buts. You must therefore indicate your right of objection right from the start if you want to use data (also) for direct mail.
In summary, one can say that the GDPR has changed little in terms of advertising, but more in how the data of the advertising recipients are processed and stored. What has changed, however, is that significantly higher fines and sanctions are imposed in the event of violations. In any case, it is advisable to re-examine the advertising measures in terms of data protection in your company.
- Technical and organizational measures (TOM) for data protection in the company
According to the GDPR, anyone who processes personal data must “take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk”.
Technical measures relate to the data processing process as such. This refers to measures that can be physically implemented, for example by installing an alarm system. Organizational measures, on the other hand, relate to the framework conditions of the data processing process. In doing so, specifications and instructions are defined that serve to ensure that employees comply with data protection.
However, the GDPR does not name any specific instructions, but rather describes data protection goals. In addition, the GDPR leaves it at your own discretion which and how many technical organizational measures you take.
The all decisive criterion with the GDPR is the risk of your data processing for the data subjects. The riskier your processing of personal data, the more you have to do for data protection and data security.
For this reason, detailed documentation of the measures taken in your company on the following points is expected:
- Pseudonymization
- Encryption
- Confidentiality
- Integrity
- Availability
- Resilience of the systems
- Recovery of data
- Review, assessment and evaluation
- Instruction of subordinate employees
All TOMs are only possible measures to improve data protection in the company. Not all measures from all protection categories have to be taken. However, it is advisable to cover as many of the named categories as possible. Ultimately, however, it always depends on the level of protection that continues to result from all measures taken.
- TOM’s GDPR: your to-dos
- Check your data processing contracts for GDPR compliance.
- Identify personal data that you or a service provider is processing.
- Check already existing measures for their effectiveness and whether they cover the new protection categories and thus also meet the new requirements.
- Assign the old measures to the new protection categories and add measures if necessary
- Create a processing directory.
- Analyze the risk of data processing for the individual processing operations.
- If necessary, conduct a data protection impact assessment.
- Train your employees on the subject of data protection and data security.
The specific need to adapt data protection in the company ultimately depends primarily on how these have been set up in the field of technical and organizational measures.
- Corporate data protection: The 5 biggest data protection mistakes
Almost everyone at work processes personal data on a daily basis, for example when keeping personnel files or when sending e-mails. All of these activities include the collection, processing, transmission or use of personal data. This means that it is important to ensure compliance with data protection in the company, especially in day-to-day work. In order to avoid or protect access to personal data, there are a few points that you should take into consideration with regard to data protection in the company.
You can increase data protection in your company by avoiding the following 5 most common data protection mistakes:
- No privacy policy
Every website operator who processes personal data must include a data protection declaration on their website. The data protection declaration must meet certain requirements in order to be considered legally secure. For example, the data protection officer must be named for questions and information on the subject of data protection. In addition, information about all analysis tools used must be provided.
- Don’t shred printed matter
Already forgot? Data that is printed on paper can also fall under the protection of personal data. Under no circumstances should these just end up crumpled up in the wastepaper basket, because this way you are not safe from unauthorized access. We therefore recommend shredding any documents that are no longer needed. This is the only way to prevent external access.
- Usage of cloud & Co.
Cloud storage such as Dropbox and Co. are now part of many companies, as a simple PC storage is no longer sufficient, especially with large amounts of data. However, these memories also have security gaps on the Internet. Try to save personal data in other ways to prevent misuse.
- Disclose data
It can happen every time: Information about personal data is inadvertently given to an unauthorized person. To avoid this, it is essential to instruct the employee thoroughly in advance as to which information may and may not be given. The same applies to confidential contracts, USB sticks and the like: make sure that you do not leave any documents with confidential documents visible to everyone when you leave the workplace. Especially when people outside the company are allowed into the office and can stroll around unaccompanied.
This is where the point of passwords comes in: although everyone should know it by now, easy-to-crack passwords are still used. This makes it child’s play for hackers to attack the PC and gain access to confidential data. A secure password for the PC is therefore essential. It should consist of at least eight characters and contain numbers, special characters and capital and lower case letters.
- Neglecting data protection
It sounds so simple, but precisely this point is the beginning of all evil: deal with the topic of data protection in the company from the very beginning and train your employees. This is the only way to prevent data protection breaches and sanctions in the event of violations.
If you avoid these 5 mistakes and deal thoroughly with the topic of data protection in the company, you are well on the way not only in terms of business, but also in terms of data protection law.
- Our expertise
The APTIQ Global legal and compliance consultants have many years of practical experience in the field of data protection law and are happy to support you with all data protection challenges such as
- Data protection audits
- Process support in the implementation of the GDPR
- Data protection documentation
- Creation of data protection declarations and other formal documents
- Data protection webinars for specific target groups (HR, Sales, other departments …)
- Data protection-compliant regulations for your relationships with customers and suppliers
- Data protection-compliant design within the framework of labor law
- … and any other data protection issues.